AWS updates with CFN fixes

hlxsites · Jan 31, 2025 · 296771d · 296771d
1 parent 294514d
commit 296771d
Show file tree

Hide file tree

Showing 55 changed files with 1,388 additions and 1,356 deletions.
diff --git a/...al-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.adoc b/...al-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.adoc
@@ -40,7 +40,7 @@ This policy ensures that autoscaling groups supply tags to their launch configur
 
 To mitigate this issue, ensure that the `aws_autoscaling_group` resource includes the `tag` or `tags` attribute with appropriate key-value pairs.
 
-[source,hcl]
+[source,go]
 ----
 resource "aws_autoscaling_group" "example" {
     ...

diff --git a/...on/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc b/...on/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc
@@ -401,10 +401,6 @@
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/APIGatewayDeploymentCreateBeforeDestroy.py[CKV_AWS_217]
 |LOW
 
-|xref:ensure-aws-api-gateway-caching-is-enabled.adoc[AWS API Gateway caching is disabled]
-| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py[CKV_AWS_120]
-|LOW
-
 |xref:ensure-api-gateway-caching-is-enabled.adoc[AWS API Gateway caching is disabled]
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py[CKV_AWS_120]
 |LOW
@@ -637,10 +633,6 @@
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py[CKV_AWS_195]
 |LOW
 
-|xref:ensure-glue-component-has-a-security-configuration-associated.adoc[AWS Glue component is not associated with a security configuration]
-| https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py[CKV_AWS_195]
-|LOW
-
 |xref:ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.adoc[AWS HTTP and HTTPS target groups do not define health check]
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py[CKV_AWS_261]
 |LOW
@@ -721,10 +713,6 @@
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/MQBrokerEncryptedWithCMK.py[CKV_AWS_209]
 |LOW
 
-|xref:ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability.adoc[AWS MQBroker audit logging is disabled]
-| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py[CKV_AWS_197]
-|LOW
-
 |xref:ensure-aws-mqbroker-audit-logging-is-enabled.adoc[AWS MQBroker audit logging is disabled]
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py[CKV_AWS_197]
 |LOW
@@ -917,10 +905,6 @@
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/common/graph/checks_infra/base_check.py[CKV_AWS_145]
 |LOW
 
-|xref:ensure-that-dynamodb-tables-are-encrypted.adoc[Unencrypted DynamoDB Tables]
-| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/DynamoDBTablesEncrypted.py[CKV_AWS_119]
-|LOW
-
 |xref:ensure-that-ecr-repositories-are-encrypted.adoc[Unencrypted ECR repositories]
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/ECRRepositoryEncrypted.py[CKV_AWS_136]
 |LOW

diff --git a/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-360.adoc b/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-360.adoc
@@ -46,3 +46,34 @@ resource "aws_docdb_cluster" "default" {
 }
 ----
 
+
+*CloudFormation*
+
+To mitigate this issue, ensure that the `BackupRetentionPeriod` property in the `AWS::DocDB::DBCluster` resource is set to at least 7 days.
+
+Example:
+
+[source,json]
+----
+{
+  "Resources": {
+    "MyDocDBCluster": {
+      "Type": "AWS::DocDB::DBCluster",
+      "Properties": {
+        "BackupRetentionPeriod": 35,
+        ...
+      }
+    }
+  }
+}
+----
+
+[source,yaml]
+----
+Resources:
+  MyDocDBCluster:
+    Type: AWS::DocDB::DBCluster
+    Properties:
+      BackupRetentionPeriod: 35
+      ...
+----
diff --git a/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-361.adoc b/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-361.adoc
@@ -33,18 +33,29 @@ The reason why this policy is important is that if automated backups are not ena
 
 *Terraform*
 
-* *Resource:* aws_neptune_cluster
-* *Arguments:* backup_retention_period
-
-The Neptune DB cluster must be configured with automated backups enabled and retention period of at least 7 days.
+To fix this issue, ensure that the `backup_retention_period` property in the `aws_neptune_cluster` resource is set to at least 7 days.
 
 [source,go]
 ----
 resource "aws_neptune_cluster" "default" {
-  cluster_identifier  = "neptune-cluster-demo"
-  engine              = "neptune"
+  ...
   backup_retention_period = 7
-  preferred_backup_window = "07:00-09:00"
 }
 ----
 
+*CloudFormation*
+
+To fix this issue, ensure that the `BackupRetentionPeriod` property in the `AWS::Neptune::DBCluster` resource is set to at least 7 days.
+
+Example:
+
+[source,yaml]
+----
+Resources:
+  MyNeptuneDBCluster:
+    Type: AWS::Neptune::DBCluster
+    Properties:
+      BackupRetentionPeriod: 7
+      ...
+----
+
diff --git a/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-363.adoc b/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-363.adoc
@@ -40,14 +40,44 @@ To fix this issue, you must define your AWS Lambda function with a current, supp
 
 Assuming you had originally defined your Lambda function with a deprecated runtime using Terraform, like the following:
 
-[source,hcl]
+[source,go]
 ----
 resource "aws_lambda_function" "lambda_function" {
-  filename      = "lambda_function_payload.zip"
-  function_name = "lambda_function_name"
-  role          = aws_iam_role.lambda.arn
-  handler       = "exports.test"
-  runtime       = "nodejs8.10" 
+  ...
+-  runtime  = "nodejs8.10" 
++  runtime  = "nodejs18.x"
 }
 ----
 
+
+*CloudFormation*
+
+To fix this issue, ensure that the `Runtime` property in the `AWS::Lambda::Function` or `AWS::Serverless::Function` resource is set to a supported runtime that is not deprecated.
+
+Example:
+
+[source,json]
+----
+{
+  "Resources": {
+    "MyLambdaFunction": {
+      "Type": "AWS::Lambda::Function",
+      "Properties": {
+        ...
+        "Runtime": "nodejs18.x",  # Ensure to use a supported runtime
+        ...
+      }
+    }
+  }
+}
+----
+
+[source,yaml]
+----
+Resources:
+  MyServerlessFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      ...
+      Runtime: nodejs18.x  # Ensure to use a supported runtime
+----
diff --git a/...tion/policy-reference/aws-policies/aws-general-policies/bc-aws-general-107.adoc b/...tion/policy-reference/aws-policies/aws-general-policies/bc-aws-general-107.adoc
@@ -39,20 +39,43 @@ In case you do not provide a AWS KMS key then we ensure that your data is encryp
 *Terraform* 
 
 
-* *Resource:* aws_sagemaker_domain
-* *Arguments:* kms_key_id - (Optional) The AWS KMS customer managed CMK used to encrypt the EFS volume attached to the domain.
-
+To fix this issue, ensure that the `kms_key_id` property in the `aws_sagemaker_domain` resource is set to a valid KMS key ARN or key ID.
 
 [source,go]
 ----
 resource "aws_sagemaker_domain" "example" {
-  domain_name = "example"
-  auth_mode   = "IAM"
-  vpc_id      = aws_vpc.test.id
-  subnet_ids  = [aws_subnet.test.id]
+  ...
   + kms_key_id = "ckv_kms"
-  default_user_settings {
-    execution_role = aws_iam_role.test.arn
-  }
 }
 ----
+
+
+*CloudFormation*
+
+To fix this issue, ensure that the `KmsKeyId` property in the `AWS::SageMaker::NotebookInstance` or `AWS::SageMaker::Domain` resource is set to a valid KMS key ARN or key ID.
+
+Example for a SageMaker Notebook Instance:
+
+[source,yaml]
+----
+Resources:
+  MySagemakerNotebookInstance:
+    Type: AWS::SageMaker::NotebookInstance
+    Properties:
+      ...
+      KmsKeyId: arn:aws:kms:us-west-2:123456789012:key/example-key-arn
+      ...
+----
+
+Example for a SageMaker Domain:
+
+[source,yaml]
+----
+Resources:
+  MySagemakerDomain:
+    Type: AWS::SageMaker::Domain
+    Properties:
+      ...
+      KmsKeyId: arn:aws:kms:us-west-2:123456789012:key/example-key-arn
+      ...
+----
diff --git a/...ition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-28.adoc b/...ition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-28.adoc
@@ -11,7 +11,7 @@
 | 08e1e43c-e9e3-40a2-8201-65147b3a9dfd
 
 |Checkov ID 
-| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/DocDBEncryption.py[CKV_AWS_74]
+| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/DocDBEncryption.py[CKV_AWS_74]
 
 |Severity
 |MEDIUM
@@ -28,50 +28,7 @@
 
 === Description 
 
-
-
-AWS DocumentDB clusters encryption at rest provides an additional layer of data protection by helping secure your data against unauthorized access to the underlying storage. On a cluster running with Amazon DocumentDB encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, snapshots, and replicas in the same cluster. We recommend enabling encryption at rest.
-
-////
-=== Fix - Runtime
-
-
-Procedure
-
-
-
-. Create an Amazon DocumentDB cluster.
-
-. Under the Authentication section, choose Show advanced settings.
-
-. Scroll down to the Encryption-at-rest section.
-
-. Choose the option that you want for encryption at rest.
-+
-Whichever option you choose, you can't change it after the cluster is created.
-+
-To encrypt data at rest in this cluster, choose Enable encryption.
-
-
-CLI Command
-
-
-
-
-[source,go]
-----
-{
- "aws docdb create-db-cluster \\
-      --db-cluster-identifier sample-cluster \\
-      --port 27017 \\
-      --engine docdb \\
-      --master-username yourMasterUsername \\
-      --master-user-password yourMasterPassword \\
-      --storage-encrypted",
-}
-----
-
-////
+This policy ensures that Amazon DocumentDB (DocDB) clusters are encrypted at rest. Encrypting data at rest protects the data stored in your DocDB clusters from unauthorized access and potential data breaches. By default, DocDB clusters are unencrypted, so it is crucial to enable encryption to secure your data.
 
 === Fix - Buildtime
 
@@ -92,3 +49,35 @@ resource "aws_docdb_cluster" "example" {
   ...
 }
 ----
+
+
+*CloudFormation*
+
+To fix this issue, ensure that the `StorageEncrypted` property in the `AWS::DocDB::DBCluster` resource is set to `true`.
+
+Example:
+
+[source,json]
+----
+{
+  "Resources": {
+    "MyDocDBCluster": {
+      "Type": "AWS::DocDB::DBCluster",
+      "Properties": {
++        "StorageEncrypted": true,
+        ...
+      }
+    }
+  }
+}
+----
+
+[source,yaml]
+----
+Resources:
+  MyDocDBCluster:
+    Type: AWS::DocDB::DBCluster
+    Properties:
++      StorageEncrypted: true
+      ...
+----