tfsec issues for v3.0.0 #96

Vermyndax · 2021-07-07T14:32:15Z

Result 1

[AWS002][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.main_site' does not have logging enabled.
/github/workspace/main.tf:26-68

  23 | }
  24 | 
  25 | # S3 bucket for website, public hosting
  26 | resource "aws_s3_bucket" "main_site" {
  27 |   bucket = random_uuid.random_bucket_name.result
  28 |   # region = var.site_region
  29 | 
  30 |   policy = <<EOF
  31 | {
  32 |   "Id": "bucket_policy_site",
  33 |   "Version": "2012-10-17",
  34 |   "Statement": [
  35 |     {
  36 |       "Sid": "s3_bucket_policy_website",
  37 |       "Action": [
  38 |         "s3:GetObject"
  39 |       ],
  40 |       "Effect": "Allow",
  41 |       "Resource": "arn:aws:s3:::${random_uuid.random_bucket_name.result}/*",
  42 |       "Principal": {
  43 |           "AWS":"*"
  44 |         },
  45 |       "Condition": {
  46 |         "StringEquals": {
  47 |           "aws:UserAgent": "${random_password.random_site_secret.result}"
  48 |         }
  49 |       }
  50 |     }
  51 |   ]
  52 | }
  53 | EOF
  54 | 
  55 | 
  56 |   website {
  57 |     index_document = var.root_page_object
  58 |     error_document = var.error_page_object
  59 |   }
  60 | 
  61 |   versioning {
  62 |     enabled = var.content_bucket_versioning
  63 |   }
  64 | 
  65 |   # tags {
  66 |   # }
  67 |   # force_destroy = true
  68 | }
  69 | 
  70 | resource "aws_s3_bucket_public_access_block" "content_bucket_block" {
  71 |   bucket = aws_s3_bucket.main_site.id

Impact: There is no way to determine the access to this bucket
Resolution: Add a logging block to the resource to enable access logging

More Info:

Result 2

[AWS002][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_www_redirect' does not have logging enabled.
/github/workspace/main.tf:81-94

  78 | 
  79 | 
  80 | # S3 bucket for www redirect (optional)
  81 | resource "aws_s3_bucket" "site_www_redirect" {
  82 |   count  = var.create_www_redirect_bucket == true ? 1 : 0
  83 |   bucket = "www.${random_uuid.random_bucket_name.result}"
  84 |   # region = var.site_region
  85 |   acl = "private"
  86 | 
  87 |   website {
  88 |     redirect_all_requests_to = var.site_tld
  89 |   }
  90 | 
  91 |   tags = {
  92 |     Website-redirect = var.site_tld
  93 |   }
  94 | }
  95 | 
  96 | # S3 bucket for CloudFront logging
  97 |

Impact: There is no way to determine the access to this bucket
Resolution: Add a logging block to the resource to enable access logging

More Info:

Result 3

[AWS077][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_cloudfront_logs' does not have versioning enabled
/github/workspace/main.tf:100-115

  97 | 
  98 | data "aws_canonical_user_id" "current" {}
  99 | 
 100 | resource "aws_s3_bucket" "site_cloudfront_logs" {
 101 |   bucket = "${var.site_tld}-cloudfront-logs"
 102 |   # region = var.site_region
 103 |   # acl = "private"
 104 |   grant {
 105 |     id          = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" # This is set by AWS, hope they never ever change it.
 106 |     type        = "CanonicalUser"
 107 |     permissions = ["FULL_CONTROL"]
 108 |   }
 109 | 
 110 |   grant {
 111 |     id          = data.aws_canonical_user_id.current.id
 112 |     type        = "CanonicalUser"
 113 |     permissions = ["FULL_CONTROL"]
 114 |   }
 115 | }
 116 | 
 117 | resource "aws_s3_bucket_public_access_block" "cloudfront_logs_block" {
 118 |   bucket = aws_s3_bucket.site_cloudfront_logs.id

Impact: Deleted or modified data would not be recoverable
Resolution: Enable versioning to protect against accidental/malicious removal or modification

More Info:

Result 4

[AWS021][�[0m�[31mERROR�[39m�[0m] Resource 'aws_cloudfront_distribution.site_cloudfront_distribution' defines outdated SSL/TLS policies (not using TLSv1.2_2021)
/github/workspace/main.tf:180

 177 |   viewer_certificate {
 178 |     acm_certificate_arn      = var.acm_site_certificate_arn
 179 |     ssl_support_method       = "sni-only"
 180 |     minimum_protocol_version = "TLSv1.2_2019"
 181 |   }
 182 | 
 183 |   restrictions {

Impact: Outdated SSL policies increase exposure to known vulnerabilites
Resolution: Use the most modern TLS/SSL policies available

More Info:

Result 5

[AWS045][�[0m�[33mWARNING�[39m�[0m] Resource 'aws_cloudfront_distribution.site_cloudfront_distribution' does not have a WAF in front of it.
/github/workspace/main.tf:127-188

 124 | }
 125 | 
 126 | # CloudFront distribution
 127 | resource "aws_cloudfront_distribution" "site_cloudfront_distribution" {
 128 |   origin {
 129 |     domain_name = aws_s3_bucket.main_site.website_endpoint
 130 |     origin_id   = "origin-bucket-${random_uuid.random_bucket_name.result}"
 131 | 
 132 |     custom_origin_config {
 133 |       origin_protocol_policy = "http-only"
 134 |       http_port              = "80"
 135 |       https_port             = "443"
 136 |       origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
 137 |     }
 138 | 
 139 |     custom_header {
 140 |       name  = "User-Agent"
 141 |       value = random_password.random_site_secret.result
 142 |     }
 143 |   }
 144 | 
 145 |   logging_config {
 146 |     include_cookies = var.log_include_cookies
 147 |     bucket          = aws_s3_bucket.site_cloudfront_logs.bucket_domain_name
 148 |     prefix          = "${local.site_tld_shortname}-"
 149 |   }
 150 | 
 151 |   enabled             = true
 152 |   default_root_object = var.root_page_object
 153 |   aliases             = [var.site_tld, "www.${var.site_tld}"]
 154 |   price_class         = var.cloudfront_price_class
 155 |   retain_on_delete    = true
 156 | 
 157 |   default_cache_behavior {
 158 |     allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
 159 |     cached_methods   = ["GET", "HEAD"]
 160 |     target_origin_id = "origin-bucket-${random_uuid.random_bucket_name.result}"
 161 | 
 162 |     forwarded_values {
 163 |       query_string = true
 164 | 
 165 |       cookies {
 166 |         forward = "none"
 167 |       }
 168 |     }
 169 | 
 170 |     viewer_protocol_policy = "redirect-to-https"
 171 |     compress               = true
 172 |     min_ttl                = 0
 173 |     default_ttl            = 3600
 174 |     max_ttl                = 86400
 175 |   }
 176 | 
 177 |   viewer_certificate {
 178 |     acm_certificate_arn      = var.acm_site_certificate_arn
 179 |     ssl_support_method       = "sni-only"
 180 |     minimum_protocol_version = "TLSv1.2_2019"
 181 |   }
 182 | 
 183 |   restrictions {
 184 |     geo_restriction {
 185 |       restriction_type = "none"
 186 |     }
 187 |   }
 188 | }
 189 | 
 190 | # DNS entry pointing to public site - optional
 191 |

Impact: Complex web application attacks can more easily be performed without a WAF
Resolution: Enable WAF for the CloudFront distribution

More Info:

Result 6

[AWS017][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.main_site' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
/github/workspace/main.tf:26-68

  23 | }
  24 | 
  25 | # S3 bucket for website, public hosting
  26 | resource "aws_s3_bucket" "main_site" {
  27 |   bucket = random_uuid.random_bucket_name.result
  28 |   # region = var.site_region
  29 | 
  30 |   policy = <<EOF
  31 | {
  32 |   "Id": "bucket_policy_site",
  33 |   "Version": "2012-10-17",
  34 |   "Statement": [
  35 |     {
  36 |       "Sid": "s3_bucket_policy_website",
  37 |       "Action": [
  38 |         "s3:GetObject"
  39 |       ],
  40 |       "Effect": "Allow",
  41 |       "Resource": "arn:aws:s3:::${random_uuid.random_bucket_name.result}/*",
  42 |       "Principal": {
  43 |           "AWS":"*"
  44 |         },
  45 |       "Condition": {
  46 |         "StringEquals": {
  47 |           "aws:UserAgent": "${random_password.random_site_secret.result}"
  48 |         }
  49 |       }
  50 |     }
  51 |   ]
  52 | }
  53 | EOF
  54 | 
  55 | 
  56 |   website {
  57 |     index_document = var.root_page_object
  58 |     error_document = var.error_page_object
  59 |   }
  60 | 
  61 |   versioning {
  62 |     enabled = var.content_bucket_versioning
  63 |   }
  64 | 
  65 |   # tags {
  66 |   # }
  67 |   # force_destroy = true
  68 | }
  69 | 
  70 | resource "aws_s3_bucket_public_access_block" "content_bucket_block" {
  71 |   bucket = aws_s3_bucket.main_site.id

Impact: The bucket objects could be read if compromised
Resolution: Configure bucket encryption

More Info:

Result 7

[AWS075][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket_public_access_block.content_bucket_block' sets restrict_public_buckets explicitly to false
/github/workspace/main.tf:76

  73 |   block_public_acls       = true
  74 |   block_public_policy     = true
  75 |   ignore_public_acls      = true
  76 |   restrict_public_buckets = false    bool: false
  77 | }
  78 | 
  79 |

Impact: Public buckets can be accessed by anyone
Resolution: Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

More Info:

Result 8

[AWS017][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_www_redirect' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
/github/workspace/main.tf:81-94

  78 | 
  79 | 
  80 | # S3 bucket for www redirect (optional)
  81 | resource "aws_s3_bucket" "site_www_redirect" {
  82 |   count  = var.create_www_redirect_bucket == true ? 1 : 0
  83 |   bucket = "www.${random_uuid.random_bucket_name.result}"
  84 |   # region = var.site_region
  85 |   acl = "private"
  86 | 
  87 |   website {
  88 |     redirect_all_requests_to = var.site_tld
  89 |   }
  90 | 
  91 |   tags = {
  92 |     Website-redirect = var.site_tld
  93 |   }
  94 | }
  95 | 
  96 | # S3 bucket for CloudFront logging
  97 |

Impact: The bucket objects could be read if compromised
Resolution: Configure bucket encryption

More Info:

Result 9

[AWS077][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_www_redirect' does not have versioning enabled
/github/workspace/main.tf:81-94

  78 | 
  79 | 
  80 | # S3 bucket for www redirect (optional)
  81 | resource "aws_s3_bucket" "site_www_redirect" {
  82 |   count  = var.create_www_redirect_bucket == true ? 1 : 0
  83 |   bucket = "www.${random_uuid.random_bucket_name.result}"
  84 |   # region = var.site_region
  85 |   acl = "private"
  86 | 
  87 |   website {
  88 |     redirect_all_requests_to = var.site_tld
  89 |   }
  90 | 
  91 |   tags = {
  92 |     Website-redirect = var.site_tld
  93 |   }
  94 | }
  95 | 
  96 | # S3 bucket for CloudFront logging
  97 |

Impact: Deleted or modified data would not be recoverable
Resolution: Enable versioning to protect against accidental/malicious removal or modification

More Info:

Result 10

[AWS002][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_cloudfront_logs' does not have logging enabled.
/github/workspace/main.tf:100-115

  97 | 
  98 | data "aws_canonical_user_id" "current" {}
  99 | 
 100 | resource "aws_s3_bucket" "site_cloudfront_logs" {
 101 |   bucket = "${var.site_tld}-cloudfront-logs"
 102 |   # region = var.site_region
 103 |   # acl = "private"
 104 |   grant {
 105 |     id          = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" # This is set by AWS, hope they never ever change it.
 106 |     type        = "CanonicalUser"
 107 |     permissions = ["FULL_CONTROL"]
 108 |   }
 109 | 
 110 |   grant {
 111 |     id          = data.aws_canonical_user_id.current.id
 112 |     type        = "CanonicalUser"
 113 |     permissions = ["FULL_CONTROL"]
 114 |   }
 115 | }
 116 | 
 117 | resource "aws_s3_bucket_public_access_block" "cloudfront_logs_block" {
 118 |   bucket = aws_s3_bucket.site_cloudfront_logs.id

Impact: There is no way to determine the access to this bucket
Resolution: Add a logging block to the resource to enable access logging

More Info:

Result 11

[AWS017][�[0m�[31mERROR�[39m�[0m] Resource 'aws_s3_bucket.site_cloudfront_logs' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
/github/workspace/main.tf:100-115

  97 | 
  98 | data "aws_canonical_user_id" "current" {}
  99 | 
 100 | resource "aws_s3_bucket" "site_cloudfront_logs" {
 101 |   bucket = "${var.site_tld}-cloudfront-logs"
 102 |   # region = var.site_region
 103 |   # acl = "private"
 104 |   grant {
 105 |     id          = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" # This is set by AWS, hope they never ever change it.
 106 |     type        = "CanonicalUser"
 107 |     permissions = ["FULL_CONTROL"]
 108 |   }
 109 | 
 110 |   grant {
 111 |     id          = data.aws_canonical_user_id.current.id
 112 |     type        = "CanonicalUser"
 113 |     permissions = ["FULL_CONTROL"]
 114 |   }
 115 | }
 116 | 
 117 | resource "aws_s3_bucket_public_access_block" "cloudfront_logs_block" {
 118 |   bucket = aws_s3_bucket.site_cloudfront_logs.id

Impact: The bucket objects could be read if compromised
Resolution: Configure bucket encryption

More Info:

times

disk i/o 3.095124ms
parsing HCL 14.1µs
evaluating values 430.403µs
running checks 777.406µs

counts

files loaded 4
blocks 36
evaluated blocks 36
modules 0
module blocks 0
ignored checks 0

11 potential problems detected.

The text was updated successfully, but these errors were encountered:

Vermyndax added the enhancement New feature or request label Jul 7, 2021

Vermyndax added this to the v3.0.0 milestone Jul 7, 2021

Vermyndax self-assigned this Jul 7, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tfsec issues for v3.0.0 #96

tfsec issues for v3.0.0 #96

Vermyndax commented Jul 7, 2021

tfsec issues for v3.0.0 #96

tfsec issues for v3.0.0 #96

Comments

Vermyndax commented Jul 7, 2021

times

counts