Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create bla.tf #12

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions bla.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
resource "aws_s3_bucket" "example" {

Check warning on line 1 in bla.tf

View check run for this annotation

Orca Security (US) / Orca Security - Infrastructure as Code

[INFO] IAM Access Analyzer Is Not Enabled

Details: Enable IAM Access analyzer for IAM policies about all resources. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Recommendation: 'aws_accessanalyzer_analyzer' should be set

Check warning on line 1 in bla.tf

View check run for this annotation

Orca Security (US) / Orca Security - Infrastructure as Code

[INFO] S3 Bucket Server Access Logging is Disabled

Details: Ensure that AWS S3 Server Access Logging feature is enabled in order to record access requests useful for security audits. By default, server access logging is not enabled for S3 buckets. Recommendation: 'logging' should be defined and not null
bucket = "my-tf-test-bucket"
acl = "private"

tags = {
Name = "My Test Bucket"
Environment = "Dev"
}

versioning {
enabled = false

Check warning on line 11 in bla.tf

View check run for this annotation

Orca Security (US) / Orca Security - Infrastructure as Code

[LOW] AWS S3 Bucket Without "MFA Delete" Enabled

Details: Using MFA-protected S3 buckets will enable an extra layer of protection to ensure that the S3 objects (files) cannot be accidentally or intentionally deleted by the AWS users that have access to the buckets. Recommendation: 'enabled' should be set to true

Check warning on line 11 in bla.tf

View check run for this annotation

Orca Security (US) / Orca Security - Infrastructure as Code

[LOW] S3 Bucket Object Versioning not Enabled

Details: Using versioning-enabled S3 buckets will allow you to preserve, retrieve, and restore every version of an S3 object. S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten by AWS users or applications and archiving previous versions of objects to AWS Glacier for long-term low-cost storage. Recommendation: 'versioning.enabled' should be true
mfa_delete = false

Check warning on line 12 in bla.tf

View check run for this annotation

Orca Security (US) / Orca Security - Infrastructure as Code

[LOW] AWS S3 Bucket Without "MFA Delete" Enabled

Details: Using MFA-protected S3 buckets will enable an extra layer of protection to ensure that the S3 objects (files) cannot be accidentally or intentionally deleted by the AWS users that have access to the buckets. Recommendation: 'mfa_delete' should be set to true
}
}


# Server Side Encryption
resource "aws_s3_bucket_server_side_encryption_configuration" "sse_example" {
bucket = aws_s3_bucket.example.bucket

rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.testkey.arn
sse_algorithm = "aws:kms"
}
}
}

resource "aws_kms_key" "testkey" {

Check warning on line 29 in bla.tf

View check run for this annotation

Orca Security (US) / Orca Security - Infrastructure as Code

[INFO] Customer Master Key Rotation is Disabled

Details: AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. Recommendation: aws_kms_key[testkey].enable_key_rotation should be set to true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Iac Misconfig Detection Terraform

Type: Customer Master Keys (Cmk) Must Have Rotation Enabled, Which Means The Attribute 'Enable Key Rotation' Must Be Set To 'True' When The Key Is Enabled.

Description: Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.

Severity: HIGH

Learn more about this issue



Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

description = "This is a test key that is used to encrypt bucket objects"
deletion_window_in_days = 10

tags = {
Name = "my_kms_key"
TestTag = "Value"
}

policy = <<EOF
{
"Id": "key-123",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111:user/test-user"
},
"Resource": [
"arn:aws:kms:us-west-2:1111111:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"arn:aws:kms:us-east-2:1111111:key/0987dcba-09fe-87dc-65ba-ab0987654321"
]
"Action": "kms:*",
}
]
}
EOF
}
Loading