Merge pull request #3 from novekm/novekm/update

Novekm/update
aws-ia · Jul 16, 2024 · d50ebfc · d50ebfc
2 parents 64ab031 + 0bf00f9
commit d50ebfc
Show file tree

Hide file tree

Showing 7 changed files with 218 additions and 42 deletions.
diff --git a/.config/.checkov.yml b/.config/.checkov.yml
@@ -9,39 +9,91 @@ skip-check:
 - CKV_AZURE*
 - CKV2_AZURE*
 - CKV_TF_1 # default to Terraform registry instead of Git
-- CKV2_AWS_5 # Ensure that Security Groups are attached to another resource
-- CKV2_AWS_47 # Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
-- CKV2_AWS_28 # Ensure public facing ALB are protected by WAF
-- CKV2_AWS_42 # Ensure AWS CloudFront distribution uses custom SSL certificate
+
+
+# - VPC -
+# Suppressed as the only VPC resources created are used only by required components of the module. Our belief is that most customers have security requirements that enforce use of existing organization defined networking and security resource. The module provides functionality to reference these existing resources if desired.
 - CKV2_AWS_11 # Ensure VPC flow logging is enabled in all VPCs
+# Suppressed as it is not relevant. The module creates an EIP and attached to a NAT Gateway, not an EC2 instance. EC2 is not used in this solution.
 - CKV2_AWS_19 # Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances
+# Suppressed as it is not relevant to this module. Security groups have been scoped down to minimum rules required for module functionality. Further, customers have the ability to reference their own existing networking and security resources.
 - CKV2_AWS_12 # Ensure the default security group of every VPC restricts all traffic
+# Suppressed due to an ongoing false-positive issue: https://github.com/bridgecrewio/checkov/issues/1203
+- CKV2_AWS_5 # Ensure that Security Groups are attached to another resource
+
+
+# - Application Load Balancer -
+# Suppressed as it is not relevant. This module does not currently support custom SSL certifications, which is a requirement to enable HTTPS for the ALB. Instead, the default CloudFront SSL certificate is used. If there is customer demand, this may be added in a future version of the module.
+- CKV_AWS_2 # Ensure ALB protocol is HTTPS
+# Suppressed as this will cause customers to incur additional cost. Will consider adding support for this in future module versions upon customer request.
+- CKV_AWS_91 # Ensure the ELBv2 (Application/Network) has access logging enabled
+# Suppressed as this will cause pipeline failures during functional tests if enabled by default. Customers can conditionally enable this via the 'enable_alb_deletion_protection' variable.
+- CKV_AWS_150 # Ensure that Load Balancer has deletion protection enabled
+# Suppressed as WAFv2 is not currently enabled in this version of the module. This would add additional customer cost, and can be added on top of the module solution leveraging the module outputs.
+- CKV2_AWS_28 # Ensure public facing ALB are protected by WAF
+# Suppressed as this handled by CloudFront. The ALB is configured to deny all access unless it comes from CloudFront, which is configured to redirect HTTP requests into HTTPS requests.
 - CKV2_AWS_20 # Ensure that ALB redirects HTTP requests into HTTPS ones
-- CKV2_AWS_32 # Ensure CloudFront distribution has a response headers policy attached
+# Suppressed as this is a false positive. The module is configured to use the 'ELBSecurityPolicy-TLS13-1-2-2021-06' AWS managed security policy which uses TLS 1.3 and is backwards compatible with TLS 1.2.
+- CKV_AWS_103 # Ensure that load balancer is using at least TLS 1.2
+
+
+# - ECS -
+# Suppressed as this will lead to additional customer cost. If there is customer demand, this may be added via a conditional variable in a future module release.
 - CKV_AWS_65 # Ensure container insights are enabled on ECS cluster
-- CKV_AWS_333 # Ensure ECS services do not have public IP addresses assigned to them automatically
-- CKV_AWS_158 # Ensure that CloudWatch Log Group is encrypted by KMS
+
+
+# - ECR -
+# Suppressed as this is a false positive. The module is configured to allow customers enable the ECR repository to use immutable tags is they so choose.
+- CKV_AWS_306 # Ensure ECR repository is immutable
 - CKV_AWS_51 # Ensure ECR Image Tags are immutable
-- CKV_AWS_103 # Ensure that load balancer is using at least TLS 1.2
+# Suppressed. This is optional and will cause additional cost. AES256 is the default encryption for Amazon ECR. Module provides the ability for customers to use KMS if they wish.
 - CKV_AWS_136 # Ensure that ECR repositories are encrypted using KMS
+# Suppressed as this is false positive. The module allows customers to enable ECR image scanning on push if they so choose.
 - CKV_AWS_163 # Ensure ECR image scanning on push is enabled
-- CKV_AWS_91 # Ensure the ELBv2 (Application/Network) has access logging enabled
-- CKV_AWS_150 # Ensure that Load Balancer has deletion protection enabled
-- CKV_AWS_2 # Ensure ALB protocol is HTTPS
-- CKV_AWS_310 # Ensure CloudFront distributions should have origin failover configured
+
+
+# - CloudFront -
+# Suppressed as WAFv2 is not currently enabled in this version of the module. This would add additional customer cost, and can be added on top of the module solution leveraging the module outputs.
 - CKV_AWS_68 # CloudFront Distribution should have WAF enabled
+- CKV2_AWS_47 # Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
+# Suppressed as module does not currently support custom SSL certificates.
+- CKV2_AWS_42 # Ensure AWS CloudFront distribution uses custom SSL certificate
+# Suppressed as it is not supported by the current version of the module. May be added in future module versions upon customer request.
+- CKV2_AWS_32 # Ensure CloudFront distribution has a response headers policy attached
+- CKV_AWS_310 # Ensure CloudFront distributions should have origin failover configured
 - CKV_AWS_86 # Ensure CloudFront distribution has Access Logging enabled
 - CKV_AWS_174 # Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
 - CKV_AWS_305 # Ensure CloudFront distribution has a default root object configured
-- CKV_AWS_219 # Ensure CodePipeline Artifact store is using a KMS CMK
-- CKV_AWS_314 # Ensure CodeBuild project environments have a logging configuration
+
+
+# - S3 -
+# Suppressed as this will lead to unnecessary additional cost for customers.
+- CKV_AWS_144 # Ensure that S3 bucket has cross-region replication enabled
+# Suppressed. Versioning is enabled for the Streamlit Artifacts S3 bucket, however this is not required for the CodePipeline Artifacts bucket as this is just a copy of the file that already exists in the bucket with versioning enabled.
+- CKV2_AWS_16 # Ensure S3 bucket has versioning enabled
+- CKV_AWS_21 # Ensure all data stored in the S3 bucket have versioning enabled
+# Suppressed as this is enabled on all new Amazon S3 Buckets by default.
+- CKV2_AWS_62 # Ensure S3 buckets are encrypted with AWS KMS by default
+- CKV2_AWS_63 # Ensure S3 bucket has server-side encryption enabled
+# Suppressed as this will incur additional cost. S3 Buckets are encrypted with SSE-S3 encryption by default. The ability to use CMK will potentially be added in future module versions upon customer request.
+- CKV_AWS_145 # Ensure that S3 buckets are encrypted with KMS by default
+# Suppressed as this is enabled on all new Amazon S3 Buckets by default.
 - CKV2_AWS_6 # Ensure that S3 bucket has a Public Access block
+# Suppressed as this could cause unintentional customer data loss. Will consider adding support for this in future module versions upon customer request.
 - CKV2_AWS_61 # Ensure that an S3 bucket has a lifecycle configuration
+# Suppressed as this could lead to increase cost. Versioning is enabled for the Streamlit Artifacts S3 bucket, however this is not required for the CodePipeline Artifacts bucket as this is just a copy of the file that already exists in the bucket with versioning enabled.
 - CKV2_AWS_62 # Ensure S3 buckets should have event notifications enabled
+# Suppressed as this is enabled for the Streamlit Assets S3 Bucket and is not required for the CodePipeline Artifacts bucket.
 - CKV_AWS_18 # Ensure the S3 bucket has access logging enabled
-- CKV_AWS_145 # Ensure that S3 buckets are encrypted with KMS by default
-- CKV_AWS_144 # Ensure that S3 bucket has cross-region replication enabled
-- CKV_AWS_21 # Ensure all data stored in the S3 bucket have versioning enabled
+# Suppressed as it is not supported by the current version of the module. May be added in future module versions upon customer request.
+- CKV2_AWS_17 # Ensure S3 bucket access is restricted to specific IP addresses or CIDR blocks
+- CKV2_AWS_64 # Ensure S3 bucket has object lock enabled
+
+
+# - CodePipeline/CodeBuild -
+# Suppressed as this is not relevant. The CodePipeline Artifacts S3 Bucket has encryption enabled using SSE-S3 encryption. This is default for all new S3 Buckets. If the ability to reference an existing KMS CMK is desired by customers, this will be addressed in a future version of the module.
+- CKV_AWS_219 # Ensure CodePipeline Artifact store is using a KMS CMK
+- CKV_AWS_314 # Ensure CodeBuild project environments have a logging configuration
 
 
 summary-position: bottom

diff --git a/.config/functional_tests/pre-entrypoint-helpers.sh b/.config/functional_tests/pre-entrypoint-helpers.sh
@@ -12,3 +12,7 @@ cd ${PROJECT_PATH}
 
 #********** AWS Region Export *************
 export AWS_DEFAULT_REGION=us-east-1
+
+#********** ABP Local Storage *************
+mkdir -p ~/dev/aws-ia/.aws
+mkdir -p ~/dev/aws-ia/artifacts