Update main.tf

[try-panwiac]

No description provided.

[prisma-cloud-devsecops]

Prisma Cloud has found errors in this PR ⬇️

[prisma-cloud-devsecops]

Suggested change

	# bucket is not encrypted
	resource "aws_s3_bucket" "data" {
	# bucket is public
	# bucket is not encrypted
	# bucket does not have access logs
	# bucket does not have versioning
	bucket = "${local.resource_prefix.value}-data"
	region = "us-west-2"
	acl = "public-read"
	#force_destroy = true
	tags = {
	Name = "${local.resource_prefix.value}-data"
	Environment = local.resource_prefix.value
	}
	}
	resource "aws_s3_bucket" "data_log_bucket" {
	bucket = "data-log-bucket"
	}
	resource "aws_s3_bucket_logging" "data" {
	bucket = aws_s3_bucket.data.id
	target_bucket = aws_s3_bucket.data_log_bucket.id
	target_prefix = "log/"
	}

  AWS Access logging not enabled on S3 buckets
    Resource: aws_s3_bucket.data | Bridgecrew ID: 806079772773363712_AWS_1681373485597 | Checkov ID: CKV_AWS_18

Description

https://docs.bridgecrew.io/docs/s3_13-enable-logging

Benchmarks

• HIPAA 164.312(B) Audit controls

🪄 Smart Fix -

Fix based on 100% past actions in this repository

[prisma-cloud-devsecops]

Suggested change

	# bucket is not encrypted
	resource "aws_s3_bucket" "data" {
	# bucket is public
	# bucket is not encrypted
	# bucket does not have access logs
	# bucket does not have versioning
	bucket = "${local.resource_prefix.value}-data"
	region = "us-west-2"
	acl = "public-read"
	#force_destroy = true
	tags = {
	Name = "${local.resource_prefix.value}-data"
	Environment = local.resource_prefix.value
	}
	}
	resource "aws_s3_bucket_versioning" "data" {
	bucket = aws_s3_bucket.data.id
	versioning_configuration {
	status = "Enabled"
	}
	}

  AWS S3 Object Versioning is disabled
    Resource: aws_s3_bucket.data | Bridgecrew ID: 806079772773363712_AWS_1681373481919 | Checkov ID: CKV_AWS_21

Description

https://docs.bridgecrew.io/docs/s3_16-enable-versioning

Benchmarks

• FEDRAMP (MODERATE) CP-10, SI-12
• PCI-DSS V3.2.1 10.5.3

🪄 Smart Fix -

Fix based on 100% past actions in this repository

[prisma-cloud-devsecops]

  S3 Bucket does not have public access blocks
    Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_NETWORKING_52 | Checkov ID: CKV2_AWS_6

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}

resource "aws_s3_bucket_public_access_block" "access_good_1" {
  bucket = aws_s3_bucket.bucket_good_1.id

  block_public_acls   = true
  block_public_policy = true
}

Description

When you create an S3 bucket, it is good practice to set the additional resource **aws_s3_bucket_public_access_block** to ensure the bucket is never accidentally public.

We recommend you ensure S3 bucket has public access blocks. If the public access block is not attached it defaults to False.

[prisma-cloud-devsecops]

Suggested change

	# bucket is not encrypted
	resource "aws_s3_bucket" "data" {
	# bucket is public
	# bucket is not encrypted
	# bucket does not have access logs
	# bucket does not have versioning
	bucket = "${local.resource_prefix.value}-data"
	region = "us-west-2"
	acl = "private"
	tags = {
	Name = "${local.resource_prefix.value}-data"
	Environment = local.resource_prefix.value
	}
	}

  AWS S3 bucket ACL grants READ permission to everyone
    Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_S3_1 | Checkov ID: CKV_AWS_20

How to Fix

resource "aws_s3_bucket" "data" {
	...
  bucket        = "${local.resource_prefix.value}-data"
-  acl           = "public-read"
+  acl           = "private"
}

Description

Unprotected S3 buckets are one of the major causes of data theft and intrusions. An S3 bucket that allows **READ** access to everyone can provide attackers the ability to read object data within the bucket, which can lead to the exposure of sensitive data. The only S3 buckets that should be globally accessible for unauthenticated users or for **Any AWS Authenticate Users** are those used for hosting static websites. Bucket ACL helps manage access to S3 bucket data.

We recommend AWS S3 buckets are not publicly accessible for READ actions to protect S3 data from unauthorized users and exposing sensitive data to public access.

Benchmarks

• NIST-800-53 AC-17

🪄 Smart Fix -

Fix based on 100% past actions in this repository

[prisma-cloud-devsecops]

Suggested change

	# bucket is not encrypted
	resource "aws_s3_bucket" "data" {
	# bucket is public
	# bucket is not encrypted
	# bucket does not have access logs
	# bucket does not have versioning
	bucket = "${local.resource_prefix.value}-data"
	region = "us-west-2"
	acl = "public-read"
	#force_destroy = true
	tags = {
	Name = "${local.resource_prefix.value}-data"
	Environment = local.resource_prefix.value
	}
	}
	resource "aws_s3_bucket_versioning" "data" {
	bucket = aws_s3_bucket.data.id
	versioning_configuration {
	status = "Enabled"
	}
	}
	resource "aws_s3_bucket" "destination" {
	bucket = aws_s3_bucket.data.id
	versioning_configuration {
	status = "Enabled"
	}
	}
	resource "aws_iam_role" "replication" {
	name = "aws-iam-role"
	assume_role_policy = <<POLICY
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Action": "sts:AssumeRole",
	"Principal": {
	"Service": "s3.amazonaws.com"
	},
	"Effect": "Allow",
	"Sid": ""
	}
	]
	}
	POLICY
	}
	resource "aws_s3_bucket_replication_configuration" "data" {
	depends_on = [aws_s3_bucket_versioning.data]
	role = aws_iam_role.data.arn
	bucket = aws_s3_bucket.data.id
	rule {
	id = "foobar"
	status = "Enabled"
	destination {
	bucket = aws_s3_bucket.destination.arn
	storage_class = "STANDARD"
	}
	}
	}

  S3 bucket cross-region replication disabled
    Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_GENERAL_72 | Checkov ID: CKV_AWS_144

How to Fix

resource "aws_s3_bucket" "test" {
  ...
+  replication_configuration {
+    role = aws_iam_role.replication.arn
+    rules {
+      id     = "foobar"
+      prefix = "foo"
+      status = "Enabled"
+
+      destination {
+        bucket        = aws_s3_bucket.destination.arn
+        storage_class = "STANDARD"
+      }
+    }
+  }
}

Description

Cross-region replication enables automatic, asynchronous copying of objects across S3 buckets. By default, replication supports copying new S3 objects after it is enabled. It is also possible to use replication to copy existing objects and clone them to a different bucket, but in order to do so, you must contact AWS Support.

🪄 Smart Fix -

Fix based on 100% past actions in this repository

[prisma-cloud-devsecops]

Suggested change

	# bucket is not encrypted
	resource "aws_s3_bucket" "data" {
	# bucket is public
	# bucket is not encrypted
	# bucket does not have access logs
	# bucket does not have versioning
	bucket = "${local.resource_prefix.value}-data"
	region = "us-west-2"
	acl = "public-read"
	#force_destroy = true
	tags = {
	Name = "${local.resource_prefix.value}-data"
	Environment = local.resource_prefix.value
	}
	}
	resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
	bucket = aws_s3_bucket.data.bucket
	rule {
	apply_server_side_encryption_by_default {
	sse_algorithm = "aws:kms"
	}
	}
	}

  S3 buckets are not encrypted with KMS
    Resource: aws_s3_bucket.data | Bridgecrew ID: BC_AWS_GENERAL_56 | Checkov ID: CKV_AWS_145

How to Fix

resource "aws_s3_bucket" "bucket_name" {
  bucket = "bucket_good"
}

+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+   bucket = aws_s3_bucket.bucket_name.bucket
+
+   rule {
+     apply_server_side_encryption_by_default {
+       kms_master_key_id = aws_kms_key.mykey.arn
+       sse_algorithm     = "aws:kms"
+     }
+   }
+ }

Description

Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering. By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit. Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.

🪄 Smart Fix -

Fix based on 100% past actions in this repository