You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I noted that a number of MP-provided environments in this repository are not using secure TLS policies. This PR updates the configuration to use secure listeners. From some investigation, it appears that when a policy is not specified in Terraform, it defaults to using ELBSecurityPolicy-2016-08 as discussed here.
Trivy will check the following folders:
terraform/environments/cooker terraform/environments/example terraform/environments/sprinkler
Running Trivy in terraform/environments/cooker
2024-05-20T11:02:06Z INFO Need to update DB
2024-05-20T11:02:06Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-20T11:02:08Z INFO Vulnerability scanning is enabled
2024-05-20T11:02:08Z INFO Misconfiguration scanning is enabled
2024-05-20T11:02:08Z INFO Need to update the built-in policies
2024-05-20T11:02:08Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-20T11:02:09Z INFO Secret scanning is enabled
2024-05-20T11:02:09Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-20T11:02:09Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-20T11:02:09Z INFO Number of language-specific files num=0
2024-05-20T11:02:09Z INFO Detected config files num=2
HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.
HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.
HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.
When enabling encryption by setting the kms_key_id.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
Running Trivy in terraform/environments/example
2024-05-20T11:02:10Z INFO Vulnerability scanning is enabled
2024-05-20T11:02:10Z INFO Misconfiguration scanning is enabled
2024-05-20T11:02:10Z INFO Secret scanning is enabled
2024-05-20T11:02:10Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-20T11:02:10Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-20T11:02:17Z INFO Number of language-specific files num=0
2024-05-20T11:02:17Z INFO Detected config files num=16
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:209
via ecs.tf:204-211 (content)
via ecs.tf:202-212 (dynamic.egress["cluster_ec2_lb_egress"])
via ecs.tf:186-214 (aws_security_group.cluster_ec2)
────────────────────────────────────────
186 resource "aws_security_group" "cluster_ec2" {
...
209 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
214 }
────────────────────────────────────────
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:44
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:40-45 (metadata_options)
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:1-99 (aws_launch_template.this)
via ec2_autoscaling_group.tf:1-29 (module.ec2_test_autoscaling_group["dev-rh-rhel79"])
────────────────────────────────────────
1 resource "aws_launch_template" "this" {
.
44 [ http_tokens = coalesce(var.instance.metadata_options_http_tokens, "required")
..
99 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:144-175 (aws_lb.loadbalancer)
via ecs.tf:115-134 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb" "loadbalancer" {
...
148 [ internal = var.internal_lb
...
175 }
────────────────────────────────────────
HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:144-175 (aws_lb.loadbalancer)
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb" "loadbalancer" {
...
148 [ internal = var.internal_lb
...
175 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via ecs.tf:115-134 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group" "lb" {
...
202 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
213 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
loadbalancer.tf:328-345
────────────────────────────────────────
328 ┌ resource "aws_instance" "lb_example_instance" {
329 │ #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
330 │ #checkov:skip=CKV_AWS_8: "Encryption not required for example instance"
331 │ # Specify the instance type and ami to be used (this is the Amazon free tier option)
332 │ instance_type = local.application_data.accounts[local.environment].instance_type
333 │ ami = local.application_data.accounts[local.environment].ami_image_id
334 │ vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
335 │ subnet_id = data.aws_subnet.private_subnets_a.id
336 └ monitoring = true
...
────────────────────────────────────────
trivy_exitcode=2
Running Trivy in terraform/environments/sprinkler
2024-05-20T11:02:17Z INFO Vulnerability scanning is enabled
2024-05-20T11:02:17Z INFO Misconfiguration scanning is enabled
2024-05-20T11:02:17Z INFO Secret scanning is enabled
2024-05-20T11:02:17Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-20T11:02:17Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-20T11:02:21Z INFO Number of language-specific files num=0
2024-05-20T11:02:21Z INFO Detected config files num=9
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/cooker terraform/environments/example terraform/environments/sprinkler
*****************************
Running tflint in terraform/environments/cooker
Excluding the following checks: terraform_unused_declarations
1issue(s) found:
Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)
on terraform/environments/cooker/main.tf line 681:681:resource"random_string""secret_name_suffix" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.mdtflint_exitcode=2*****************************
Running tflint in terraform/environments/example
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2*****************************
Running tflint in terraform/environments/sprinkler
Excluding the following checks: terraform_unused_declarations
1issue(s) found:
Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)
on terraform/environments/sprinkler/db_manager.tf line 50:50:data"template_cloudinit_config""cloudinit-db-mgmt" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.mdtflint_exitcode=4
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/cooker terraform/environments/example terraform/environments/sprinkler
*****************************
Running Trivy in terraform/environments/cooker
2024-05-20T11:02:06Z INFO Need to update DB
2024-05-20T11:02:06Z INFO Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-05-20T11:02:08Z INFO Vulnerability scanning is enabled
2024-05-20T11:02:08Z INFO Misconfiguration scanning is enabled
2024-05-20T11:02:08Z INFO Need to update the built-in policies
2024-05-20T11:02:08Z INFO Downloading the built-in policies...50.41 KiB /50.41 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-05-20T11:02:09Z INFO Secret scanning is enabled
2024-05-20T11:02:09Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-20T11:02:09Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection2024-05-20T11:02:09Z INFO Number of language-specific files num=02024-05-20T11:02:09Z INFO Detected config files num=2
main.tf (terraform)
===================
Tests:20 (SUCCESSES:13, FAILURES:6, EXCEPTIONS:1)
Failures:6 (HIGH:4, CRITICAL:2)
HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
main.tf:408-423
────────────────────────────────────────
408 ┌ resource"aws_lb""external" {
409 │
410 │ name="external-${var.networking[0].application}"411 │ internal=false412 │ load_balancer_type="application"413 │ security_groups=[aws_security_group.external_lb.id]
414 │ subnets=data.aws_subnets.shared-public.ids415 │ enable_deletion_protection=false416 └
...
────────────────────────────────────────
HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
main.tf:548-563
────────────────────────────────────────
548 ┌ resource"aws_lb""inner" {
549 │
550 │ name="inner-${var.networking[0].application}"551 │ internal=true552 │ load_balancer_type="application"553 │ security_groups=[aws_security_group.inner_lb.id]
554 │ subnets=data.aws_subnets.shared-private.ids555 │ enable_deletion_protection=false556 └
...
────────────────────────────────────────
HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
main.tf:411
via main.tf:408-423 (aws_lb.external)
────────────────────────────────────────
408resource"aws_lb""external" {
...411 [ internal = false...423 }
────────────────────────────────────────
HIGH:Instancedoesnothavestorageencryptionenabled.
════════════════════════════════════════
EncryptionshouldbeenabledforanRDSDatabaseinstances.Whenenablingencryptionbysettingthekms_key_id.Seehttps://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
main.tf:703-723
────────────────────────────────────────
703 ┌ resource"aws_db_instance""app" {
704 │
705 │ identifier = var.networking[0].application
706 │ allocated_storage = local.application_data.accounts[local.environment].rds_storage
707 │ engine ="postgres"708 │ engine_version = local.application_data.accounts[local.environment].rds_postgresql_version
709 │ instance_class = local.application_data.accounts[local.environment].rds_instance_class
710 │ db_name = var.networking[0].application
711 └ username ="dbmain"...
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
main.tf:97
via main.tf:90-98 (aws_security_group_rule.app_egress_1)
────────────────────────────────────────
90 resource "aws_security_group_rule""app_egress_1" {
9192 security_group_id = aws_security_group.app.id
93 type ="egress"94 from_port =095 to_port =096 protocol =-197 [ cidr_blocks = ["0.0.0.0/0"]
98 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
main.tf:657
via main.tf:650-658 (aws_security_group_rule.rds_egress_1)
────────────────────────────────────────
650 resource "aws_security_group_rule""rds_egress_1" {
651652 security_group_id = aws_security_group.rds.id
653 type ="egress"654 from_port =0655 to_port =0656 protocol =-1657 [ cidr_blocks = ["0.0.0.0/0"]
658 }
────────────────────────────────────────
trivy_exitcode=1*****************************
Running Trivy in terraform/environments/example
2024-05-20T11:02:10Z INFO Vulnerability scanning is enabled
2024-05-20T11:02:10Z INFO Misconfiguration scanning is enabled
2024-05-20T11:02:10Z INFO Secret scanning is enabled
2024-05-20T11:02:10Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-20T11:02:10Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection2024-05-20T11:02:17Z INFO Number of language-specific files num=02024-05-20T11:02:17Z INFO Detected config files num=16
ec2.tf (terraform)
==================
Tests:8 (SUCCESSES:5, FAILURES:0, EXCEPTIONS:3)
Failures:0 (HIGH:0, CRITICAL:0)
ec2_autoscaling_group.tf (terraform)
====================================
Tests:2 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
ec2_complete.tf (terraform)
===========================
Tests:3 (SUCCESSES:2, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2_complete.tf:235
via ec2_complete.tf:227-236 (aws_security_group_rule.complete_egress_traffic["TCP_ALL"])
────────────────────────────────────────
227 resource "aws_security_group_rule""complete_egress_traffic" {
228 for_each = local.complete_ec2_sg_egress_rules
229 description =format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port)
230 from_port = each.value.from_port
231 protocol = each.value.protocol
232 security_group_id = aws_security_group.example_ec2_sg.id
233 to_port = each.value.to_port
234 type ="egress"235 [ cidr_blocks = [each.value.cidr_block]
236 }
────────────────────────────────────────
ecs.tf (terraform)
==================
Tests:5 (SUCCESSES:3, FAILURES:1, EXCEPTIONS:1)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:209
via ecs.tf:204-211 (content)
via ecs.tf:202-212 (dynamic.egress["cluster_ec2_lb_egress"])
via ecs.tf:186-214 (aws_security_group.cluster_ec2)
────────────────────────────────────────
186 resource "aws_security_group""cluster_ec2" {
...209 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
...214 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11/main.tf (terraform)
============================================================================================================================================
Tests:7 (SUCCESSES:5, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf (terraform)
====================================================================================================================================================
Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:44
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:40-45 (metadata_options)
via github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=03913ac182decfc8224923520439d53d7c930661/main.tf:1-99 (aws_launch_template.this)
via ec2_autoscaling_group.tf:1-29 (module.ec2_test_autoscaling_group["dev-rh-rhel79"])
────────────────────────────────────────
1 resource "aws_launch_template""this" {
.
44 [ http_tokens =coalesce(var.instance.metadata_options_http_tokens, "required")
..
99 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)
================================================================================================================================================================================================================================================================
Tests:14 (SUCCESSES:12, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:9-64 (module.s3-bucket[0])
via ecs.tf:115-134 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration""default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key !="") ? var.custom_kms_key :""177 │ }
178 │ }
179 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:9-64 (module.s3-bucket[0])
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration""default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key !="") ? var.custom_kms_key :""177 │ }
178 │ }
179 └ }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf (terraform)
===========================================================================================================================================
Tests:16 (SUCCESSES:10, FAILURES:4, EXCEPTIONS:2)
Failures:4 (HIGH:2, CRITICAL:2)
HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:144-175 (aws_lb.loadbalancer)
via ecs.tf:115-134 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb""loadbalancer" {
...148 [ internal = var.internal_lb
...175 }
────────────────────────────────────────
HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:144-175 (aws_lb.loadbalancer)
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
144 resource "aws_lb""loadbalancer" {
...148 [ internal = var.internal_lb
...175 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via ecs.tf:115-134 (module.ecs_lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group""lb" {
...202 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
...213 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:202
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:197-204 (content)
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:195-205 (dynamic.egress["cluster_ec2_lb_egress"])
via github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:177-213 (aws_security_group.lb[0])
via loadbalancer_module.tf:2-21 (module.lb_access_logs_enabled)
────────────────────────────────────────
177 resource "aws_security_group""lb" {
...202 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
...213 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)
========================================================================================================================================
Tests:14 (SUCCESSES:12, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via s3.tf:8-72 (module.s3-bucket)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration""default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key !="") ? var.custom_kms_key :""177 │ }
178 │ }
179 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via loadbalancer.tf:185-248 (module.s3-bucket-lb)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration""default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key !="") ? var.custom_kms_key :""177 │ }
178 │ }
179 └ }
────────────────────────────────────────
loadbalancer.tf (terraform)
===========================
Tests:7 (SUCCESSES:5, FAILURES:1, EXCEPTIONS:1)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
loadbalancer.tf:328-345
────────────────────────────────────────
328 ┌ resource "aws_instance""lb_example_instance" {
329 │ #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."330 │ #checkov:skip=CKV_AWS_8: "Encryption not required for example instance"331 │ # Specify the instance type and ami to be used (this is the Amazon free tier option)332 │ instance_type = local.application_data.accounts[local.environment].instance_type
333 │ ami = local.application_data.accounts[local.environment].ami_image_id
334 │ vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id]
335 │ subnet_id = data.aws_subnet.private_subnets_a.id
336 └ monitoring =true...
────────────────────────────────────────
trivy_exitcode=2*****************************
Running Trivy in terraform/environments/sprinkler
2024-05-20T11:02:17Z INFO Vulnerability scanning is enabled
2024-05-20T11:02:17Z INFO Misconfiguration scanning is enabled
2024-05-20T11:02:17Z INFO Secret scanning is enabled
2024-05-20T11:02:17Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-20T11:02:17Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection2024-05-20T11:02:21Z INFO Number of language-specific files num=02024-05-20T11:02:21Z INFO Detected config files num=9
db_manager.tf (terraform)
=========================
Tests:9 (SUCCESSES:4, FAILURES:0, EXCEPTIONS:5)
Failures:0 (HIGH:0, CRITICAL:0)
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests:7 (SUCCESSES:5, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
github.com/ministryofjustice/modernisation-platform-terraform-ssm-patching.git?ref=v1.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf (terraform)
================================================================================================================================================================================================
Tests:7 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-ssm-patching.git?ref=v1.0.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
via github.com/ministryofjustice/modernisation-platform-terraform-ssm-patching.git?ref=v1.0.0/main.tf:3-57 (module.s3-bucket[0])
via ssm.tf:1-17 (module.ssm-auto-patching)
────────────────────────────────────────
157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration""default" {
158 │ bucket = aws_s3_bucket.default.id
159 │ rule {
160 │ apply_server_side_encryption_by_default {
161 │ sse_algorithm = var.sse_algorithm
162 │ kms_master_key_id = (var.custom_kms_key !="") ? var.custom_kms_key :""163 │ }
164 │ }
165 └ }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-ssm-patching.git?ref=v1.0.0/main.tf (terraform)
=============================================================================================================
Tests:2 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
main.tf (terraform)
===================
Tests:20 (SUCCESSES:17, FAILURES:0, EXCEPTIONS:3)
Failures:0 (HIGH:0, CRITICAL:0)
trivy_exitcode=3
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
github-actions
bot
added
the
environments-repository
dms1981
had a problem deploying
to
example-development
I noted that a number of MP-provided environments in this repository are not using secure TLS policies. This PR updates the configuration to use secure listeners. From some investigation, it appears that when a policy is not specified in Terraform, it defaults to using
ELBSecurityPolicy-2016-08as discussed here.