From 296771de1a86d2d87d1492a4c6da102be48401b2 Mon Sep 17 00:00:00 2001 From: Taylor Date: Thu, 30 Jan 2025 23:12:34 -0800 Subject: [PATCH] AWS updates with CFN fixes --- ...-supply-tags-to-launch-configurations.adoc | 2 +- .../aws-general-policies.adoc | 16 --- .../aws-general-policies/bc-aws-360.adoc | 31 ++++ .../aws-general-policies/bc-aws-361.adoc | 25 +++- .../aws-general-policies/bc-aws-363.adoc | 42 +++++- .../bc-aws-general-107.adoc | 43 ++++-- .../bc-aws-general-28.adoc | 79 +++++------ .../bc-aws-general-32.adoc | 59 ++++---- .../bc-aws-general-43.adoc | 134 ++++++++++++------ ...re-aws-api-gateway-caching-is-enabled.adoc | 76 ---------- ...nsure-aws-appsync-is-protected-by-waf.adoc | 24 +++- ...nsure-aws-appsyncs-logging-is-enabled.adoc | 26 +++- ...-your-lambda-function-urls-is-defined.adoc | 46 +++++- ...ured-with-amr-for-log4j-vulnerability.adoc | 62 -------- ...ociated-with-a-security-configuration.adoc | 103 ++++++++++---- ...aws-mqbroker-audit-logging-is-enabled.adoc | 43 +++--- ...ure-ebs-default-encryption-is-enabled.adoc | 23 +-- ...s-a-security-configuration-associated.adoc | 88 ------------ ...function-is-configured-inside-a-vpc-1.adoc | 54 ++++++- ...re-that-dynamodb-tables-are-encrypted.adoc | 54 ------- ...manager-secret-is-encrypted-using-kms.adoc | 22 ++- ...-workspace-user-volumes-are-encrypted.adoc | 4 - .../aws-general-policies/general-25.adoc | 30 ++-- .../aws-general-policies/general-4.adoc | 20 +-- .../aws-iam-policies/bc-aws-364.adoc | 41 +++++- .../aws-iam-policies/bc-aws-iam-45.adoc | 32 ++++- ...allow-write-access-without-constraint.adoc | 2 +- ...y-does-not-contain-wildcard-principal.adoc | 44 ++++-- ...luster-has-iam-authentication-enabled.adoc | 3 +- .../iam-16-iam-policy-privileges-1.adoc | 52 +++---- .../aws-policies/aws-iam-policies/iam-48.adoc | 77 ++++------ .../bc-aws-kubernetes-3.adoc | 32 +++-- .../aws-logging-policies/bc-aws-317.adoc | 43 +++++- .../bc-aws-logging-23.adoc | 12 -- .../bc-aws-logging-24.adoc | 11 +- ...db-instance-has-query-logging-enabled.adoc | 29 +++- ...g-is-enabled-for-amazon-rds-instances.adoc | 22 ++- .../aws-logging-policies/logging-1.adoc | 100 ++----------- .../aws-logging-policies/logging-19.adoc | 88 +++++------- .../aws-logging-policies/logging-7.adoc | 67 ++------- .../aws-networking-policies/bc-aws-291.adoc | 96 +++++++------ .../bc-aws-networking-63.adoc | 70 +++++---- .../ensure-that-alb-drops-http-headers.adoc | 49 ++++++- .../networking-29.adoc | 71 ++++------ .../networking-31.adoc | 74 ++++++---- .../bc-aws-serverless-5.adoc | 82 +++++++---- ...asticsearch-3-enable-encryptionatrest.adoc | 71 ++++++---- .../elasticsearch-5.adoc | 30 ++-- .../elasticsearch-6.adoc | 43 +++--- .../public-1-ecr-repositories-not-public.adoc | 57 ++++---- .../public-policies/public-11.adoc | 76 ++++------ .../s3-policies/bc-aws-s3-19.adoc | 60 +++++--- .../s3-policies/bc-aws-s3-20.adoc | 35 +++-- .../s3-policies/s3-13-enable-logging.adoc | 110 +++++--------- .../s3-policies/s3-16-enable-versioning.adoc | 59 +++----- 55 files changed, 1388 insertions(+), 1356 deletions(-) delete mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-caching-is-enabled.adoc delete mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability.adoc delete mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-glue-component-has-a-security-configuration-associated.adoc delete mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-dynamodb-tables-are-encrypted.adoc diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.adoc index 0fa860c198..9b62fec25a 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.adoc @@ -40,7 +40,7 @@ This policy ensures that autoscaling groups supply tags to their launch configur To mitigate this issue, ensure that the `aws_autoscaling_group` resource includes the `tag` or `tags` attribute with appropriate key-value pairs. -[source,hcl] +[source,go] ---- resource "aws_autoscaling_group" "example" { ... diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc index efd41a3f6a..2d7cc5c19d 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc @@ -401,10 +401,6 @@ | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/APIGatewayDeploymentCreateBeforeDestroy.py[CKV_AWS_217] |LOW -|xref:ensure-aws-api-gateway-caching-is-enabled.adoc[AWS API Gateway caching is disabled] -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py[CKV_AWS_120] -|LOW - |xref:ensure-api-gateway-caching-is-enabled.adoc[AWS API Gateway caching is disabled] | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py[CKV_AWS_120] |LOW @@ -637,10 +633,6 @@ | https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py[CKV_AWS_195] |LOW -|xref:ensure-glue-component-has-a-security-configuration-associated.adoc[AWS Glue component is not associated with a security configuration] -| https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py[CKV_AWS_195] -|LOW - |xref:ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.adoc[AWS HTTP and HTTPS target groups do not define health check] | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py[CKV_AWS_261] |LOW @@ -721,10 +713,6 @@ | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/MQBrokerEncryptedWithCMK.py[CKV_AWS_209] |LOW -|xref:ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability.adoc[AWS MQBroker audit logging is disabled] -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py[CKV_AWS_197] -|LOW - |xref:ensure-aws-mqbroker-audit-logging-is-enabled.adoc[AWS MQBroker audit logging is disabled] | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py[CKV_AWS_197] |LOW @@ -917,10 +905,6 @@ | https://github.com/bridgecrewio/checkov/tree/master/checkov/common/graph/checks_infra/base_check.py[CKV_AWS_145] |LOW -|xref:ensure-that-dynamodb-tables-are-encrypted.adoc[Unencrypted DynamoDB Tables] -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/DynamoDBTablesEncrypted.py[CKV_AWS_119] -|LOW - |xref:ensure-that-ecr-repositories-are-encrypted.adoc[Unencrypted ECR repositories] | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/ECRRepositoryEncrypted.py[CKV_AWS_136] |LOW diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-360.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-360.adoc index 4731ccb0e4..f1e6e5a53f 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-360.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-360.adoc @@ -46,3 +46,34 @@ resource "aws_docdb_cluster" "default" { } ---- + +*CloudFormation* + +To mitigate this issue, ensure that the `BackupRetentionPeriod` property in the `AWS::DocDB::DBCluster` resource is set to at least 7 days. + +Example: + +[source,json] +---- +{ + "Resources": { + "MyDocDBCluster": { + "Type": "AWS::DocDB::DBCluster", + "Properties": { + "BackupRetentionPeriod": 35, + ... + } + } + } +} +---- + +[source,yaml] +---- +Resources: + MyDocDBCluster: + Type: AWS::DocDB::DBCluster + Properties: + BackupRetentionPeriod: 35 + ... +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-361.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-361.adoc index 456e3577b0..a324bcf5a7 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-361.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-361.adoc @@ -33,18 +33,29 @@ The reason why this policy is important is that if automated backups are not ena *Terraform* -* *Resource:* aws_neptune_cluster -* *Arguments:* backup_retention_period - -The Neptune DB cluster must be configured with automated backups enabled and retention period of at least 7 days. +To fix this issue, ensure that the `backup_retention_period` property in the `aws_neptune_cluster` resource is set to at least 7 days. [source,go] ---- resource "aws_neptune_cluster" "default" { - cluster_identifier = "neptune-cluster-demo" - engine = "neptune" + ... backup_retention_period = 7 - preferred_backup_window = "07:00-09:00" } ---- +*CloudFormation* + +To fix this issue, ensure that the `BackupRetentionPeriod` property in the `AWS::Neptune::DBCluster` resource is set to at least 7 days. + +Example: + +[source,yaml] +---- +Resources: + MyNeptuneDBCluster: + Type: AWS::Neptune::DBCluster + Properties: + BackupRetentionPeriod: 7 + ... +---- + diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-363.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-363.adoc index 72ead388f2..08a34c8753 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-363.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-363.adoc @@ -40,14 +40,44 @@ To fix this issue, you must define your AWS Lambda function with a current, supp Assuming you had originally defined your Lambda function with a deprecated runtime using Terraform, like the following: -[source,hcl] +[source,go] ---- resource "aws_lambda_function" "lambda_function" { - filename = "lambda_function_payload.zip" - function_name = "lambda_function_name" - role = aws_iam_role.lambda.arn - handler = "exports.test" - runtime = "nodejs8.10" + ... +- runtime = "nodejs8.10" ++ runtime = "nodejs18.x" } ---- + +*CloudFormation* + +To fix this issue, ensure that the `Runtime` property in the `AWS::Lambda::Function` or `AWS::Serverless::Function` resource is set to a supported runtime that is not deprecated. + +Example: + +[source,json] +---- +{ + "Resources": { + "MyLambdaFunction": { + "Type": "AWS::Lambda::Function", + "Properties": { + ... + "Runtime": "nodejs18.x", # Ensure to use a supported runtime + ... + } + } + } +} +---- + +[source,yaml] +---- +Resources: + MyServerlessFunction: + Type: AWS::Serverless::Function + Properties: + ... + Runtime: nodejs18.x # Ensure to use a supported runtime +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-107.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-107.adoc index 02289114d2..8794e3d7d2 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-107.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-107.adoc @@ -39,20 +39,43 @@ In case you do not provide a AWS KMS key then we ensure that your data is encryp *Terraform* -* *Resource:* aws_sagemaker_domain -* *Arguments:* kms_key_id - (Optional) The AWS KMS customer managed CMK used to encrypt the EFS volume attached to the domain. - +To fix this issue, ensure that the `kms_key_id` property in the `aws_sagemaker_domain` resource is set to a valid KMS key ARN or key ID. [source,go] ---- resource "aws_sagemaker_domain" "example" { - domain_name = "example" - auth_mode = "IAM" - vpc_id = aws_vpc.test.id - subnet_ids = [aws_subnet.test.id] + ... + kms_key_id = "ckv_kms" - default_user_settings { - execution_role = aws_iam_role.test.arn - } } ---- + + +*CloudFormation* + +To fix this issue, ensure that the `KmsKeyId` property in the `AWS::SageMaker::NotebookInstance` or `AWS::SageMaker::Domain` resource is set to a valid KMS key ARN or key ID. + +Example for a SageMaker Notebook Instance: + +[source,yaml] +---- +Resources: + MySagemakerNotebookInstance: + Type: AWS::SageMaker::NotebookInstance + Properties: + ... + KmsKeyId: arn:aws:kms:us-west-2:123456789012:key/example-key-arn + ... +---- + +Example for a SageMaker Domain: + +[source,yaml] +---- +Resources: + MySagemakerDomain: + Type: AWS::SageMaker::Domain + Properties: + ... + KmsKeyId: arn:aws:kms:us-west-2:123456789012:key/example-key-arn + ... +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-28.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-28.adoc index 0822e4efce..2bfc62598b 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-28.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-28.adoc @@ -11,7 +11,7 @@ | 08e1e43c-e9e3-40a2-8201-65147b3a9dfd |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/DocDBEncryption.py[CKV_AWS_74] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/DocDBEncryption.py[CKV_AWS_74] |Severity |MEDIUM @@ -28,50 +28,7 @@ === Description - - -AWS DocumentDB clusters encryption at rest provides an additional layer of data protection by helping secure your data against unauthorized access to the underlying storage. On a cluster running with Amazon DocumentDB encryption, data stored at rest in the underlying storage is encrypted, as are its automated backups, snapshots, and replicas in the same cluster. We recommend enabling encryption at rest. - -//// -=== Fix - Runtime - - -Procedure - - - -. Create an Amazon DocumentDB cluster. - -. Under the Authentication section, choose Show advanced settings. - -. Scroll down to the Encryption-at-rest section. - -. Choose the option that you want for encryption at rest. -+ -Whichever option you choose, you can't change it after the cluster is created. -+ -To encrypt data at rest in this cluster, choose Enable encryption. - - -CLI Command - - - - -[source,go] ----- -{ - "aws docdb create-db-cluster \\ - --db-cluster-identifier sample-cluster \\ - --port 27017 \\ - --engine docdb \\ - --master-username yourMasterUsername \\ - --master-user-password yourMasterPassword \\ - --storage-encrypted", -} ----- - -//// +This policy ensures that Amazon DocumentDB (DocDB) clusters are encrypted at rest. Encrypting data at rest protects the data stored in your DocDB clusters from unauthorized access and potential data breaches. By default, DocDB clusters are unencrypted, so it is crucial to enable encryption to secure your data. === Fix - Buildtime @@ -92,3 +49,35 @@ resource "aws_docdb_cluster" "example" { ... } ---- + + +*CloudFormation* + +To fix this issue, ensure that the `StorageEncrypted` property in the `AWS::DocDB::DBCluster` resource is set to `true`. + +Example: + +[source,json] +---- +{ + "Resources": { + "MyDocDBCluster": { + "Type": "AWS::DocDB::DBCluster", + "Properties": { ++ "StorageEncrypted": true, + ... + } + } + } +} +---- + +[source,yaml] +---- +Resources: + MyDocDBCluster: + Type: AWS::DocDB::DBCluster + Properties: ++ StorageEncrypted: true + ... +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-32.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-32.adoc index 4b8edc6334..b1dc4bf3d5 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-32.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-32.adoc @@ -28,33 +28,12 @@ === Description -Amazon MSK integrates with AWS Key Management Service (KMS) for server-side encryption. -When you create an MSK cluster, you can specify the AWS KMS CMK for Amazon MSK to use to encrypt your data at rest. -If you don't specify a CMK, Amazon MSK creates an AWS managed CMK for you and uses it on your behalf. -We recommend using encryption in transit and at rest to secure your managed Kafka queue. +This policy identifies AWS Managed Streaming for Apache Kafka clusters having in-transit encryption in a disabled state. -//// -=== Fix - Runtime +In-transit encryption secures data while it's being transferred between brokers. Without it, there's a risk of data interception during transit. +It is recommended to enable in-transit encryption among brokers within the cluster. This ensures that all data exchanged within the cluster is encrypted, effectively protecting it from potential eavesdropping and unauthorized access. -CLI Command - - -Run the create-cluster command and use the encryption-info option to point to the file where you saved your configuration JSON. - - -[source,shell] ----- -{ - "aws kafka create-cluster ---cluster-name "ExampleClusterName" ---broker-node-group-info file://brokernodegroupinfo.json ---encryption-info file://encryptioninfo.json ---kafka-version "2.2.1" ---number-of-broker-nodes 3", -} ----- -//// === Fix - Buildtime @@ -62,11 +41,7 @@ Run the create-cluster command and use the encryption-info option to point to th *Terraform* -* *Resource:* aws_msk_cluster -* *Arguments:* encryption_info - (Optional) Configuration block for specifying encryption. -encryption_in_transit - (Optional) Configuration block to specify encryption in transit. - -See below. +To fix this issue, ensure that the `encryption_info` property in the `aws_msk_cluster` resource includes `encryption_in_transit` settings with `client_broker` set to `TLS` and `in_cluster` set to `true`. [source,go] @@ -85,3 +60,29 @@ resource "aws_msk_cluster" "example" { ... } ---- + +*CloudFormation* + +To fix this issue, ensure that the `EncryptionInfo` property in the `AWS::MSK::Cluster` resource includes `EncryptionInTransit` settings with `ClientBroker` set to `TLS` and `InCluster` set to `true`. + +Example: + +[source,yaml] +---- +Resources: + MyMSKCluster: + Type: AWS::MSK::Cluster + Properties: + ClusterName: example-cluster + KafkaVersion: 2.8.0 + NumberOfBrokerNodes: 3 + BrokerNodeGroupInfo: + ... + EncryptionInfo: + EncryptionAtRest: + DataVolumeKMSKeyId: arn:aws:kms:us-west-2:123456789012:key/example-key-arn + EncryptionInTransit: + ClientBroker: TLS + InCluster: true + ... +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.adoc index aa5f9e6759..ab1033b5e3 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.adoc @@ -27,75 +27,119 @@ === Description +This policy ensures that the Load Balancer Listener is using at least TLS v1.2. TLS (Transport Layer Security) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party can eavesdrop or tamper with any message. This check validates that ElasticLoadBalancing V2 Listener is using at least TLS v1.2 to maintain strong security standards. -A listener in an AWS Load Balancer is a process that checks for connection requests. -Users can define a listener when creating a load balancer, and add listeners to the load balancer at any time. -The HTTPS listener enables traffic encryption between your load balancer and the clients that initiate SSL or TLS sessions. - -//// -=== Fix - Runtime - - -AWS Console +=== Fix - Buildtime +*Terraform* -. Go to the Amazon EC2 console at https://console.aws.amazon.com/ec2/. +To fix this issue, you should ensure that your load balancer listener configuration has the `ssl_policy` property set to at least TLS v1.2. Below is an example of how to set this property in a Terraform configuration: -. On the navigation pane, under LOAD BALANCING, select Load Balancers. +[source,go] +---- +resource "aws_lb_listener" "example" { + load_balancer_arn = aws_lb.example.arn + protocol = "HTTPS" + port = "443" + + ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" -. Select the load balancer and choose Listeners. -+ -4.Select the check box for the TLS listener and choose Edit. + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.example.arn + } +} +---- -. For Security policy, choose a security policy. +[source,go] +---- +resource "aws_alb_listener" "example" { + load_balancer_arn = aws_alb.example.arn + protocol = "HTTPS" + port = "443" + + ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" + default_action { + type = "forward" + target_group_arn = aws_alb_target_group.example.arn + } +} +---- -CLI Command +Additionally, if your load balancer listener uses a redirect action, ensure that the `default_action.redirect.protocol` property is set to `HTTPS`. +Example: +[source,go] +---- +resource "aws_lb_listener" "example_redirect" { + load_balancer_arn = aws_lb.example.arn + protocol = "HTTP" + port = "80" + default_action { + type = "redirect" -[source,text] ----- -{ - "modify-listener ---listener-arn & lt;value> -[--port & lt;value>] -[--protocol & lt;value>] -[--ssl-policy & lt;value>]", + redirect { + protocol = "HTTPS" + port = "443" + status_code = "HTTP_301" + } + } } ---- -//// -=== Fix - Buildtime +[source,go] +---- +resource "aws_alb_listener" "example_redirect" { + load_balancer_arn = aws_alb.example.arn + protocol = "HTTP" + port = "80" + default_action { + type = "redirect" -*Terraform* + redirect { + protocol = "HTTPS" + port = "443" + status_code = "HTTP_301" + } + } +} +---- -* *Resource:* aws_lb_listener -* *Attribute:* protocol - (Optional) +*CloudFormation* -The protocol for connections from clients to the load balancer. -For Application Load Balancers, valid values are HTTP and HTTPS, with a default of HTTP. -For Network Load Balancers, valid values are TCP, TLS, UDP, and TCP_UDP. -Not valid to use UDP or TCP_UDP if dual-stack mode is enabled. -Not valid for Gateway Load Balancers. +To mitigate this issue, ensure that the `SslPolicy` property in the `AWS::ElasticLoadBalancingV2::Listener` resource is properly configured to use at least TLS v1.2. +Example: -[source,go] +[source,json] ---- -resource "aws_lb_listener" "front_end" { - load_balancer_arn = aws_lb.front_end.arn - port = "443" - protocol = "HTTPS" - + ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" - certificate_arn = "arn:aws:acm:eu-west-2:999999999:certificate/77777777-5d4a-457f-8888-02550c8c9244" - - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.front_end.arn +{ + "Resources": { + "ExampleALBListener": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "Protocol": "HTTPS", + "SslPolicy": "ELBSecurityPolicy-TLS-1-2-2017-01", + ... + } + } } } ---- + +[source,yaml] +---- +Resources: + ExampleALBListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + Protocol: HTTPS + SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 + ... +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-caching-is-enabled.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-caching-is-enabled.adoc deleted file mode 100644 index faeb69a530..0000000000 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-caching-is-enabled.adoc +++ /dev/null @@ -1,76 +0,0 @@ -== AWS API Gateway caching is disabled - - -=== Policy Details -[width=45%] -[cols="1,1"] -|=== -|Prisma Cloud Policy ID -| 09e59cb9-5aaf-489a-a20a-9b6a4246c0ca - -|Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py[CKV_AWS_120] - -|Severity -|LOW - -|Subtype -|Build - -|Frameworks -|Terraform,CloudFormation - -|=== - - - -=== Description - -A cache cluster caches responses. -With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API. - -//// -=== Fix - Runtime - -. Go to the API Gateway console. - -. Select an API. - -. Select Stages. - -. In the Stages list for the API, select the required stage. - -. Go to the Settings tab. - -. Select Enable API cache. - -. Wait until cache creation is complete. -//// - -=== Fix - Buildtime - - -*Terraform* - - ----- -resource "aws_api_gateway_rest_api" "example" { - -... - -... -} ----- - - -*CloudFormation* - - ----- -Resources: -Prod: -Type: AWS::ApiGateway::Stage -Properties: - -... ----- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-appsync-is-protected-by-waf.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-appsync-is-protected-by-waf.adoc index 52259f4791..f12c9aad17 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-appsync-is-protected-by-waf.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-appsync-is-protected-by-waf.adoc @@ -35,7 +35,7 @@ It can also help to prevent DDoS attacks by allowing you to set rate-based rules *Terraform* - +To mitigate this issue, ensure that `aws_appsync_graphql_api` are connected with `aws_wafv2_web_acl_association` resources. [source,go] ---- @@ -49,3 +49,25 @@ resource "aws_wafv2_web_acl_association" "pass" { web_acl_arn = aws_wafv2_web_acl.example.arn } ---- + +To fix this issue, ensure that your AWS AppSync GraphQL API is associated with an AWS WAFv2 WebACL. You can use the `AWS::WAFv2::WebACLAssociation` resource to create this association. + +Example: + +[source,yaml] +---- +Resources: + GoodAppSyncGraphQLApi: + Type: "AWS::AppSync::GraphQLApi" + Properties: + ... + GoodWAFv2WebACL: + Type: "AWS::WAFv2::WebACL" + Properties: + ... + WebACLAssociation: + Type: AWS::WAFv2::WebACLAssociation + Properties: + ResourceArn: !GetAtt GoodAppSyncGraphQLApi.Arn + WebACLArn: !GetAtt GoodWAFv2WebACL.Arn +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-appsyncs-logging-is-enabled.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-appsyncs-logging-is-enabled.adoc index 24cab9a102..1a1bb51562 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-appsyncs-logging-is-enabled.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-appsyncs-logging-is-enabled.adoc @@ -9,7 +9,7 @@ | 4a84ac0e-9881-4afd-ac3c-7d5c6da1de8b |Checkov ID -| https://github.com/bridgecrewio/checkov/blob/master/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py[CKV_AWS_193] +| https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py[CKV_AWS_193] |Severity |LOW @@ -26,14 +26,14 @@ === Description -It is recommended to have a proper logging process for AWS AppSync in order to track configuration changes conducted manually and programmatically and trace back unapproved changes. +This policy ensures that AWS AppSync GraphQL APIs have logging enabled. Enabling logging for AppSync allows you to capture, store, and analyze the API activity, which is crucial for monitoring, troubleshooting, and ensuring the security of your API. This policy checks whether the `CloudWatchLogsRoleArn` property in the `LogConfig` configuration is set to a valid value. === Fix - Buildtime *Terraform* - +To mitigate this issue, ensure that `cloudwatch_logs_role_arn` is set in the `aws_appsync_graphql_api` resource. [source,go] @@ -48,3 +48,23 @@ resource "aws_appsync_graphql_api" "enabled" { } } ---- + +*CloudFormation* + +To fix this issue, ensure that the `CloudWatchLogsRoleArn` property in the `LogConfig` configuration of the `AWS::AppSync::GraphQLApi` resource is set to a valid IAM role ARN that grants permission to write logs to CloudWatch. + +Example: + +[source,yaml] +---- +Resources: + MyAppSyncGraphQLApi: + Type: AWS::AppSync::GraphQLApi + Properties: + Name: example-api + AuthenticationType: API_KEY + LogConfig: + CloudWatchLogsRoleArn: arn:aws:iam::123456789012:role/appsync-logging-role + FieldLogLevel: ALL + ... +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.adoc index 92e5a2250f..9140753719 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.adoc @@ -15,8 +15,7 @@ |MEDIUM |Subtype -|Build -//Run +|Build, Run |Frameworks |Terraform,CloudFormation @@ -27,22 +26,55 @@ === Description -The AWS AuthType for your Lambda function URLs determines how users are authenticated when they access the URLs of your Lambda functions. -It is important to ensure that the AWS AuthType for your Lambda function URLs is defined because it helps to secure your functions and protect them from unauthorized access. +This policy identifies AWS Lambda functions which have function URL AuthType set to NONE. AuthType determines how Lambda authenticates or authorises requests to your function URL. When AuthType is set to NONE, Lambda doesn't perform any authentication before invoking your function. It is highly recommended to set AuthType to AWS_IAM for Lambda function URL to authenticate via AWS IAM. === Fix - Buildtime *Terraform* - - +To fix this issue, ensure that the `authorization_type` property in the `aws_lambda_function_url` resource is set to a value other than `None`. For example, you can set it to `AWS_IAM` to enforce IAM-based authentication. [source,go] ---- resource "aws_lambda_function_url" "pass" { function_name = aws_lambda_function.test.function_name qualifier = "my_alias" - authorization_type = "AWS_IAM" +- authorization_type = "None" ++ authorization_type = "AWS_IAM" +} +---- + + +*CloudFormation* + +To fix this issue, ensure that the `AuthType` property in the `AWS::Lambda::Url` resource is set to a value other than `None`. For example, you can set it to `AWS_IAM` to enforce IAM-based authentication. + +Example: + +[source,json] +---- +{ + "Resources": { + "MyLambdaFunctionURL": { + "Type": "AWS::Lambda::Url", + "Properties": { +- "AuthType": None, ++ "AuthType": "AWS_IAM", + ... + } + } + } } ---- + +[source,yaml] +---- +Resources: + MyLambdaFunctionURL: + Type: AWS::Lambda::Url + Properties: +- AuthType: None ++ AuthType: AWS_IAM + ... +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability.adoc deleted file mode 100644 index c3997b577c..0000000000 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability.adoc +++ /dev/null @@ -1,62 +0,0 @@ -== AWS MQBroker audit logging is disabled - - -=== Policy Details - -[width=45%] -[cols="1,1"] -|=== -|Prisma Cloud Policy ID -| 6cc22562-8bcd-4e12-8610-77e926cf4fa7 - -|Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py[CKV_AWS_197] - -|Severity -|LOW - -|Subtype -|Build - -|Frameworks -|Terraform - -|=== - - - -=== Description - - -This policy identifies AWS CloudFront attached with WAFv2 WebACL which is not configured with AWS Managed Rules (AMR) for Log4j Vulnerability. -As per the guidelines given by AWS, CloudFront attached with WAFv2 WebACL should be configured with AWS Managed Rules (AMR) AWSManagedRulesKnownBadInputsRuleSet and AWSManagedRulesAnonymousIpList to protect from Log4j Vulnerability (CVE-2021-44228). - -For more information please see https://aws.amazon.com/security/security-bulletins/AWS-2021-006/[here] - -=== Fix - Buildtime - - -*Terraform* - - - - -[source,go] ----- -resource "aws_mq_broker" "enabled" { - broker_name = "example" - engine_type = "ActiveMQ" - engine_version = "5.16.3" - host_instance_type = "mq.t3.micro" - - user { - password = "admin123" - username = "admin" - } - - logs { - general = true - audit = true - } -} ----- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration.adoc index 00ffda0d5f..3768cc2c5a 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration.adoc @@ -10,7 +10,7 @@ | 35f1c888-1566-49c5-bd40-c10b6a152ce8 |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py[CKV_AWS_195] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py[CKV_AWS_195] |Severity |LOW @@ -27,45 +27,96 @@ === Description - -A security configuration specifies the encryption settings for data stored on data stores and for data in transit. -By associating your Glue components with a security configuration, you can ensure that your data is encrypted in accordance with your security requirements. -Encrypting your data can help protect it from unauthorized access and ensure the confidentiality of your data. -This is especially important for sensitive data, such as financial or personal information. +This policy ensures that AWS Glue components (Crawlers, DevEndpoints, and Jobs) have a security configuration associated. Associating a security configuration with Glue components helps ensure the security of data in transit and at rest, which is critical for maintaining data integrity and protecting sensitive information. This policy checks whether the `CrawlerSecurityConfiguration` or `SecurityConfiguration` property is configured appropriately for Glue components. === Fix - Buildtime -*Terraform* - +*Terraform* +To fix this issue, ensure that the `security_configuration` property in the `aws_glue_crawler`, `aws_glue_dev_endpoint`, and `aws_glue_job` resources is set to a valid security configuration. +Example for a Glue Crawler: -[source,text] +[source,go] +---- +resource "aws_glue_crawler" "example" { + ... + security_configuration = "example-security-configuration" + ... +} ---- -resource "aws_glue_crawler" "enabled" { - database_name = "aws_glue_catalog_database.example.name" - name = "example" - role = "aws_iam_role.example.arn" - security_configuration = "aws_glue_security_configuration.example.name" +Example for a Glue DevEndpoint: + +[source,go] +---- +resource "aws_glue_dev_endpoint" "example" { + ... + security_configuration = "example-security-configuration" + ... } +---- -resource "aws_glue_dev_endpoint" "enabled" { - name = "example" - role_arn = "aws_iam_role.example.arn" +Example for a Glue Job: - security_configuration = "aws_glue_security_configuration.example.name" +[source,go] +---- +resource "aws_glue_job" "example" { + ... + security_configuration = "example-security-configuration" + ... } +---- -resource "aws_glue_job" "enabled" { - name = "example" - role_arn = "aws_iam_role.example.arn" +*CloudFormation* - security_configuration = "aws_glue_security_configuration.example.name" +To fix this issue, ensure that the appropriate security configuration properties are set for your Glue components. - command { - script_location = "s3://aws_s3_bucket.example.bucket/example.py" - } -} +Example for a Glue Crawler: + +[source,yaml] +---- +Resources: + MyGlueCrawler: + Type: AWS::Glue::Crawler + Properties: + Name: example-crawler + Role: arn:aws:iam::123456789012:role/glue-role + DatabaseName: example-database + Targets: + ... + CrawlerSecurityConfiguration: example-security-configuration + ... +---- + +Example for a Glue DevEndpoint: + +[source,yaml] +---- +Resources: + MyGlueDevEndpoint: + Type: AWS::Glue::DevEndpoint + Properties: + EndpointName: example-dev-endpoint + RoleArn: arn:aws:iam::123456789012:role/glue-role + SecurityConfiguration: example-security-configuration + ... +---- + +Example for a Glue Job: + + +[source,yaml] +---- +Resources: + MyGlueJob: + Type: AWS::Glue::Job + Properties: + Name: example-job + Role: arn:aws:iam::123456789012:role/glue-role + Command: + ... + SecurityConfiguration: example-security-configuration + ... ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-mqbroker-audit-logging-is-enabled.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-mqbroker-audit-logging-is-enabled.adoc index 361bee25ad..30398ed26b 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-mqbroker-audit-logging-is-enabled.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-mqbroker-audit-logging-is-enabled.adoc @@ -9,7 +9,7 @@ | 6cc22562-8bcd-4e12-8610-77e926cf4fa7 |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py[CKV_AWS_197] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py[CKV_AWS_197] |Severity |LOW @@ -26,32 +26,43 @@ === Description -It is recommended to have a proper logging process for AWS MQBroke in order to track configuration changes conducted manually and programmatically and trace back unapproved changes. +This policy ensures that Amazon MQ Brokers have audit logging enabled. Audit logging is crucial for tracking access and changes to your MQ Brokers, thereby providing visibility into security-relevant events and supporting compliance requirements. This policy checks whether the `logs` property is configured to enable `audit` logging. Note that audit logging is not supported for RabbitMQ engine types. === Fix - Buildtime *Terraform* +To fix this issue, ensure that the `logs` property in the `aws_mq_broker` resource includes `audit` set to `true`, unless the engine type is `RabbitMQ`. - +Example: [source,go] ---- -resource "aws_mq_broker" "enabled" { - broker_name = "example" - engine_type = "ActiveMQ" - engine_version = "5.16.3" - host_instance_type = "mq.t3.micro" - - user { - password = "admin123" - username = "admin" - } - +resource "aws_mq_broker" "example" { + ... logs { - general = true - audit = true + audit = true } + ... } ---- + + +*CloudFormation* + +To fix this issue, ensure that the `Audit` property in the `Logs` configuration of the `AWS::AmazonMQ::Broker` resource is set to `true`, unless the engine type is `RabbitMQ`. + +Example: + +[source,yaml] +---- +Resources: + MyMQBroker: + Type: AWS::AmazonMQ::Broker + Properties: + ... + Logs: + Audit: true + ... +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-ebs-default-encryption-is-enabled.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-ebs-default-encryption-is-enabled.adoc index a00ff12f42..1615ff0d6b 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-ebs-default-encryption-is-enabled.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-ebs-default-encryption-is-enabled.adoc @@ -10,14 +10,13 @@ | 6960be11-e3a6-46cc-bf66-933c57c2af5d |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/EBSDefaultEncryption.py[CKV_AWS_106] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/EBSDefaultEncryption.py[CKV_AWS_106] |Severity |LOW |Subtype -|Build -//Run +|Build, Run |Frameworks |Terraform,TerraformPlan @@ -28,21 +27,7 @@ === Description - -This policy identifies AWS regions in which new EBS volumes are getting created without any encryption. -Encrypting data at rest reduces unintentional exposure of data stored in EBS volumes. -It is recommended to configure EBS volume at the regional level so that every new EBS volume created in that region will be enabled with encryption by using a provided encryption key. - -//// -=== Fix - Runtime - - -AWS Console - - -To enable encryption at region level by default, follow below URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default -Additional Information: To detect existing EBS volumes that are not encrypted ; refer Saved Search: AWS EBS volumes are not encrypted_RL To detect existing EBS volumes that are not encrypted with CMK, refer Saved Search: AWS EBS volume not encrypted using Customer Managed Key_RL -//// +This policy identifies AWS regions in which new EBS volumes are getting created without any encryption. Encrypting data at rest reduces unintentional exposure of data stored in EBS volumes. It is recommended to configure EBS volume at the regional level so that every new EBS volume created in that region will be enabled with encryption by using a provided encryption key. === Fix - Buildtime @@ -59,4 +44,4 @@ Additional Information: To detect existing EBS volumes that are not encrypted ; resource "aws_ebs_encryption_by_default" "enabled" { + enabled = true } ----- \ No newline at end of file +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-glue-component-has-a-security-configuration-associated.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-glue-component-has-a-security-configuration-associated.adoc deleted file mode 100644 index 5085781b7c..0000000000 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-glue-component-has-a-security-configuration-associated.adoc +++ /dev/null @@ -1,88 +0,0 @@ -== AWS Glue component is not associated with a security configuration - -=== Policy Details - -[width=45%] -[cols="1,1"] -|=== -|Prisma Cloud Policy ID -| 35f1c888-1566-49c5-bd40-c10b6a152ce8 - -|Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py[CKV_AWS_195] - -|Severity -|LOW - -|Subtype -|Build - -|Frameworks -|Terraform,CloudFormation - -|=== - - - - -=== Description - -Ensure that AWS Glue components Crawlers, Jobs, and Development Endpoints have a security configuration associated. -It is needed to encrypt data at rest. - -//// -=== Fix - Runtime - - -*CLI Command* - - -[source,shell] ----- -aws glue update-crawler \ ---name & lt;value> \ -[--crawler-security-configuration & lt;value>] ----- -//// - -=== Fix - Buildtime - - -* *Resources:* `aws_glue_crawler`, `aws_glue_dev_endpoint` and `aws_glue_job` -* *Arguments:* `security_configuration` - -[source,hcl] ----- -resource "aws_glue_crawler" "example" { -name = "example" - -... -security_configuration = aws_glue_security_configuration.example.name -} ----- - - -*CloudFormation* - - -* *Resources:* `AWS::Glue::Crawler`, `AWS::Glue::DevEndpoint` and `AWS::Glue::Job` -* *Arguments:* `Properties.CrawlerSecurityConfiguration` or `SecurityConfiguration` - -[source,yaml] ----- -Resources: -Crawler: -Type: AWS::Glue::Crawler -Properties: -Name: example - -... -CrawlerSecurityConfiguration: !Ref SecurityConfiguration -Job: -Type: AWS::Glue::Job -Properties: -Name: example - -... -SecurityConfiguration: !Ref SecurityConfiguration ----- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.adoc index a219371226..326fcc73c0 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.adoc @@ -50,7 +50,7 @@ When you connect a function to a VPC, it can only access resources and the inter NOTE: If both subnet_ids and security_group_ids are empty then vpc_config is considered to be empty or unset. -[source,text] +[source,go] ---- resource "aws_lambda_function" "test_lambda" { ... @@ -62,3 +62,55 @@ resource "aws_lambda_function" "test_lambda" { } } ---- + + +*CloudFormation* + +To fix this issue, you should ensure that your AWS Lambda function configuration includes the `VpcConfig` property. Below is an example of how to set this property in a CloudFormation configuration: + +Example: + +[source,json] +---- +{ + "Resources": { + "ExampleLambdaFunction": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Role": "arn:aws:iam::123456789012:role/lambda-role", + "Code": { + "S3Bucket": "my-bucket", + "S3Key": "my-function.zip" + }, + "VpcConfig": { + "SubnetIds": [ + "subnet-0bb1c79de3EXAMPLE" + ], + "SecurityGroupIds": [ + "sg-085912345678492fb" + ] + } + } + } + } +} +---- + +[source,yaml] +---- +Resources: + ExampleLambdaFunction: + Type: AWS::Lambda::Function + Properties: + Handler: "index.handler" + Role: "arn:aws:iam::123456789012:role/lambda-role" + Code: + S3Bucket: "my-bucket" + S3Key: "my-function.zip" + VpcConfig: + SubnetIds: + - "subnet-0bb1c79de3EXAMPLE" + SecurityGroupIds: + - "sg-085912345678492fb" +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-dynamodb-tables-are-encrypted.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-dynamodb-tables-are-encrypted.adoc deleted file mode 100644 index 54c2147a7b..0000000000 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-dynamodb-tables-are-encrypted.adoc +++ /dev/null @@ -1,54 +0,0 @@ -== Unencrypted DynamoDB Tables - - -=== Policy Details - -[width=45%] -[cols="1,1"] -|=== -|Prisma Cloud Policy ID -| 0913d5c3-1833-4709-9a50-7fc58b65e494 - -|Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/DynamoDBTablesEncrypted.py[CKV_AWS_119] - -|Severity -|LOW - -|Subtype -|Build - -|Frameworks -|CloudFormation,Terraform,TerraformPlan,Serverless - -|=== - - - -=== Description - - -Encrypting your Amazon DynamoDB helps protect your data from unauthorized access or tampering. -That way, you can ensure that only authorized users can access and modify the contents of your DBs. -Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access. - -=== Fix - Buildtime - - -*Terraform* - - -* *Resource:* aws_dynamodb_table -* *Arguments:* server_side_encryption - - -[source,go] ----- -resource "aws_dynamodb_table" "basic-dynamodb-table" { - ... - server_side_encryption { -+ enabled = true -+ kms_key_arn= aws_kms_key.dynamo.arn - } -} ----- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.adoc index f4a3ee319e..fa194aac50 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.adoc @@ -27,9 +27,7 @@ === Description - -By default, secrets manager secrets are encrypted using the AWS-managed key `aws/secretsmanager`. -It is best practice to explicitly provide a customer managed key to use instead. +This policy ensures that AWS Secrets Manager secrets are encrypted using a customer-managed key (CMK) in AWS Key Management Service (KMS). Using a CMK provides additional control over the encryption keys used to protect your secrets, allowing you to manage key policies, rotation, and usage. This policy checks whether the `KmsKeyId` property is set to a value that does not contain the prefix `aws/` which indicates the use of the default AWS-managed key. === Fix - Buildtime @@ -48,3 +46,21 @@ resource "aws_secretsmanager_secret" "enabled" { + kms_key_id = var.kms_key_id } ---- + + +*CloudFormation* + +To fix this issue, ensure that the `KmsKeyId` property in the `AWS::SecretsManager::Secret` resource is set to a customer-managed KMS key ARN or ID. + +Example: + +[source,yaml] +---- +Resources: + MySecretManagerSecret: + Type: AWS::SecretsManager::Secret + Properties: + Name: example-secret + KmsKeyId: arn:aws:kms:us-west-2:123456789012:key/example-key-arn + ... +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-workspace-user-volumes-are-encrypted.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-workspace-user-volumes-are-encrypted.adoc index dc65cb8752..ec715694e1 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-workspace-user-volumes-are-encrypted.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-workspace-user-volumes-are-encrypted.adoc @@ -51,8 +51,6 @@ resource "aws_workspaces_workspace" "pass" { ... } ---- ----- ----- *CloudFormation* @@ -64,8 +62,6 @@ resource "aws_workspaces_workspace" "pass" { [source,yaml] ---- ----- ----- Type: AWS::WorkSpaces::Workspace Properties: ... diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-25.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-25.adoc index 35ee75a9f1..24f2201078 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-25.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-25.adoc @@ -16,8 +16,7 @@ |LOW |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -28,34 +27,24 @@ === Description - -We recommend all data stored in the Redshift cluster is securely encrypted at rest, you can create new encrypted clusters or enable CMK encryption on existing clusters, as AWS says "You can enable encryption when you launch your cluster, or you can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption" https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html +This policy identifies AWS Redshift instances which are not encrypted. These instances should be encrypted for clusters to help protect data at rest which otherwise can result in a data breach. === Fix - Buildtime -*Terraform* - - -* *Resource:* aws_redshift_cluster -* *Arguments:* encrypted, ensure that this argument is set to true to protect this database. -This change may recreate your cluster. +*Terraform* +In order to mitigate this issue, ensure `encrypted` is set to `true`. [source,go] ---- -{ - "resource "aws_redshift_cluster" "redshift" { +resource "aws_redshift_cluster" "redshift" { ... cluster_identifier = "shifty" + encrypted = true kms_key_id = var.kms_key_id ... } - -", - -} ---- @@ -65,14 +54,13 @@ This change may recreate your cluster. * *Resource:* AWS::Redshift::Cluster * *Arguments:* Properties.Encrypted +In order to mitigate this issue, ensure that `Encrypted` is set to `true`. + [source,yaml] ---- -{ - "Type: "AWS::Redshift::Cluster" + Type: "AWS::Redshift::Cluster" Properties: ... -+ Encrypted: true", - -} ++ Encrypted: true ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4.adoc index 9f84422e82..4ced18aa1c 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4.adoc @@ -87,40 +87,30 @@ If you use the CreateDBInstance API operation, set the StorageEncrypted paramete *Terraform* -* *Resource:* aws_db_instance -* *Arguments:* storage_encrypted - Specifies whether the DB instance is encrypted. +To mitigate this issue, set the `storage_encrypted` attribute of the `aws_db_instance` to true. [source,go] ---- -{ - "resource "aws_db_instance" "example" { +resource "aws_db_instance" "example" { ... name = "mydb" + storage_encrypted = true } - -", -} ---- *CloudFormation* - -* *Resource:* AWS::RDS::DBInstance -* *Arguments:* Properties.StorageEncrypted +To mitigate this issue, set the `StorageEncrypted` attribute of the `AWS::RDS::DBInstance` to true. [source,yaml] ---- -{ - "Resources: + Resources: DB: Type: 'AWS::RDS::DBInstance' Properties: ... -+ StorageEncrypted: true", - -} ++ StorageEncrypted: true ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364.adoc index f5449d2953..890172d813 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364.adoc @@ -19,13 +19,13 @@ |Build |Frameworks -|Terraform,TerraformPlan +|Terraform, TerraformPlan, CloudFormation |=== === Description -This policy is checking to ensure that permissions granted to AWS Lambda functions by other AWS services are adequately restricted by either the SourceArn or SourceAccount. The importance of this check lies in securing the function against unnecessary or excessive access by limiting permissions to the specific AWS service that requires it. If such restrictions are not in place, the function could be open to misuse or unauthorized access, compromising the integrity and security of your applications and data in AWS. By limiting permissions using SourceArn or SourceAccount, you narrow the scope of access, reducing potential security risks. +This policy ensures that AWS Lambda function permissions delegated to AWS services are restricted by `SourceArn` or `SourceAccount`. This helps prevent unauthorized access and limits the scope of permissions granted to Lambda functions. === Fix - Buildtime @@ -43,9 +43,44 @@ resource "aws_lambda_permission" "with_sns" { action = "lambda:InvokeFunction" function_name = aws_lambda_function.example.function_name principal = "sns.amazonaws.com" - source_arn = aws_sns_topic.example.arn ++ source_arn = aws_sns_topic.example.arn } ---- The above code is secure because it explicitly defines the source of the permissions using the source_arn attribute. This prevents malicious entities from granting themselves permissions to the Lambda function. The attribute source_arn limits the delegation of the permission to the supplied resource, preventing resources outside of the supplied ARN from invoking the Lambda Function. + +*CloudFormation* + +To mitigate this issue, ensure that the `AWS::Lambda::Permission` resource includes the `SourceArn` or `SourceAccount` property to limit the permissions delegated to AWS services. + +Example: + +[source,json] +---- +{ + "Resources": { + "MyLambdaPermission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Action": "lambda:InvokeFunction", + "FunctionName": "MyFunction", + "Principal": "sns.amazonaws.com", ++ "SourceArn": "arn:aws:sns:us-east-1:123456789012:MyTopic" + } + } + } +} +---- + +[source,yaml] +---- +Resources: + MyLambdaPermission: + Type: AWS::Lambda::Permission + Properties: + Action: lambda:InvokeFunction + FunctionName: MyFunction + Principal: sns.amazonaws.com ++ SourceArn: arn:aws:sns:us-east-1:123456789012:MyTopic +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-45.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-45.adoc index c72ab5f232..9285a271b4 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-45.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-45.adoc @@ -10,7 +10,7 @@ | 84214659-a01d-48d0-aee8-9b00ce51bfdd |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py[CKV_AWS_61] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py[CKV_AWS_61] |Severity |HIGH @@ -38,12 +38,38 @@ The main benefit of the Principal entity is to limit the use of wildcards in the === Fix - Buildtime +*Terraform* + +To fix this issue, ensure that the `assume_role_policy` in the `aws_iam_role` resource is configured with specific AWS accounts or principals and does not allow assume role permission to any AWS account. + +Example: + +[source,go] +---- +resource "aws_iam_role" "example" { + name = "example-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::123456789012:role/allowed-role" + } + Action = "sts:AssumeRole" + } + ] + }) + ... +} +---- + *CloudFormation* -* *Resource:* AWS::IAM::Role -* *Arguments:* Properties.AssumeRolePolicyDocument.Statement +To fix this issue, ensure that the `AssumeRolePolicyDocument` in the `AWS::IAM::Role` resource is configured with specific AWS accounts or principals and does not allow assume role permission to any AWS account. [source,yaml] diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.adoc index 1284e1d7bd..1530eec049 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.adoc @@ -10,7 +10,7 @@ | 94ef4e9f-1263-4677-b3e3-b641ea9094e1 |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/data/aws/IAMWriteAccess.py[CKV_AWS_111] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/data/aws/IAMWriteAccess.py[CKV_AWS_111] |Severity |LOW diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-kms-key-policy-does-not-contain-wildcard-principal.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-kms-key-policy-does-not-contain-wildcard-principal.adoc index 4cb0c056bc..770e23941d 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-kms-key-policy-does-not-contain-wildcard-principal.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-kms-key-policy-does-not-contain-wildcard-principal.adoc @@ -10,14 +10,13 @@ | 2b68ad79-4c8b-48dd-8459-2d86203e862b |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/KMSKeyWildcardPrincipal.py[CKV_AWS_33] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/KMSKeyWildcardPrincipal.py[CKV_AWS_33] |Severity |MEDIUM |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -28,19 +27,46 @@ === Description +This policy identifies KMS Keys that have a key policy overly permissive. Key policies are the primary way to control access to customer master keys (CMKs) in AWS KMS. It is recommended to follow the principle of least privilege ensuring that KMS key policy does not have all the permissions to be able to complete a malicious action. -A wildcard principal is a placeholder that allows access to all users or accounts, and can potentially expose your KMS keys to unauthorized access. -By removing wildcard principals from your key policies, you can ensure that only specific users or accounts have access to your KMS keys. -This can help to improve the security of your keys and reduce the risk of unauthorized access. +For more details: +https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#overview-policy-elements === Fix - Buildtime -*CloudFormation* +*Terraform* + +To fix this issue, ensure that the KMS key policy does not use wildcard (`*`) principals. Instead, specify specific AWS accounts or roles. + +Example: + +[source,go] +---- +resource "aws_kms_key" "example" { + description = "example key" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "Allow access for Key Administrators" + Effect = "Allow" + Principal = { +- AWS = "*" ++ AWS = "arn:aws:iam::123456789012:role/admin" + } + Action = "kms:*" + Resource = "*" + } + ] + }) +} +---- -* *Resource:* AWS::KMS::Key -* *Arguments:* Properties.Statement.Principal +*CloudFormation* + +To fix this issue, ensure that the KMS key policy does not use wildcard (`*`) principals. Instead, specify specific AWS accounts or roles. [source,yaml] diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-rds-cluster-has-iam-authentication-enabled.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-rds-cluster-has-iam-authentication-enabled.adoc index c55e1d1324..6f6c45df62 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-rds-cluster-has-iam-authentication-enabled.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-rds-cluster-has-iam-authentication-enabled.adoc @@ -29,8 +29,7 @@ === Description -IAM authentication uses AWS Identity and Access Management (IAM) to authenticate users and applications that connect to your RDS database. -This can be more secure than traditional password-based authentication, as it allows you to use IAM policies and multi-factor authentication to control access to your database. +This policy identifies RDS clusters that are not configured with IAM authentication. If you enable IAM authentication you don't need to store user credentials in the database, because authentication is managed externally using IAM. IAM database authentication provides the network traffic to and from database clusters is encrypted using Secure Sockets Layer (SSL), Centrally manage access to your database resources and Profile credentials instead of a password, for greater security. === Fix - Buildtime diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.adoc index f796ce239e..b0ce00cca0 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.adoc @@ -10,62 +10,42 @@ | 2b7e07ba-56c8-42db-8db4-a4b65f5066c4 |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py[CKV_AWS_40] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py[CKV_AWS_40] |Severity |LOW |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless |=== -//// -Bridgecrew -Prisma Cloud -* AWS IAM policy attached to users* +=== Description +This policy identifies IAM policies attached to user. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups but not users. -=== Policy Details - -[width=45%] -[cols="1,1"] -|=== -|Prisma Cloud Policy ID -| 2b7e07ba-56c8-42db-8db4-a4b65f5066c4 - -|Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py [CKV_AWS_40] - -|Severity -|LOW - -|Subtype -|Build -//, Run - -|Frameworks -|CloudFormation,Terraform,TerraformPlan,Serverless +=== Fix - Buildtime -|=== -//// +*Terraform* -=== Description +To fix this issue, ensure that IAM policies are not directly attached to users. Instead, attach the policies to groups or roles. +Example: -By default, IAM users, groups, and roles have no access to AWS resources. -IAM policies are the means by which privileges are granted to users, groups, or roles. -Assigning privileges at the group or role level reduces the complexity of access management as the number of users increase. -Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges. -We recommend that IAM policies are applied directly to groups and roles, but not to users. +[source,go] +---- +resource "aws_iam_policy_attachment" "fail" { + name = "example" + policy_arn = "aws_iam_policy.policy.arn" -=== Fix - Buildtime +- users = ["example"] +} +---- *CloudFormation* diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-48.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-48.adoc index 7c1c3eba6a..7cf39d09d6 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-48.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-48.adoc @@ -10,7 +10,7 @@ | 43727ea1-1037-4398-be4a-f07e3eff716c |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py[CKV_AWS_63] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py[CKV_AWS_63] |Severity |HIGH @@ -28,54 +28,8 @@ === Description -IAM policies should grant a minimum set of permissions, adding more as required, rather than grant full administrative privileges. -Providing full administrative privileges when not required exposes resources to potentially unwanted actions. +This policy ensures that IAM policy documents do not allow "*" as a statement's actions. Allowing "*" in the actions of an IAM policy grants permissions to all actions, which can lead to potential security risks and unauthorized access. This policy checks whether any IAM policy documents contain statements with `"Action": "*"`, which should be avoided. -//// -=== Fix - Runtime - - -* AWS Console* - - - -. Log in to the AWS Management Console at https://console.aws.amazon.com/. - -. Open the https://console.aws.amazon.com/iam/ [Amazon IAM console]. - -. In the navigation pane, click * Policies **and then search for the policy name found in the audit step. - -. Select the policy that needs to be deleted. - -. In the policy action menu, select first * Detach*. - -. Select all Users, Groups, Roles that have this policy attached. - -. Click * Detach Policy*. - -. In the policy action menu, select * Detach*. - - -* CLI Command* - - - -. List all IAM users, groups, and roles that the specified managed policy is attached to: -+ -`aws iam list-entities-for-policy --policy-arn & lt;policy_arn>` - -. Detach the policy from all IAM Users: -+ -`aws iam detach-user-policy --user-name & lt;iam_user> --policy-arn & lt;policy_arn>` - -. Detach the policy from all IAM Groups: -+ -`aws iam detach-group-policy --group-name & lt;iam_group> --policy-arn & lt;policy_arn>` - -. Detach the policy from all IAM Roles: -+ -`aws iam detach-role-policy --role-name &l t;iam_role> --policy-arn & lt;policy_arn>` -//// === Fix - Buildtime @@ -113,3 +67,30 @@ resource "aws_iam_policy" "policy" { EOF } ---- + + +*CloudFormation* + +To fix this issue, ensure that the IAM policy statements do not use "*" in the actions. Instead, specify the specific actions that are required. + +Example: + +[source,yaml] +---- +Resources: + MyIAMRole: + Type: AWS::IAM::Role + Properties: + ... + Policies: + - PolicyName: "example-policy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: +- - "*" + Resource: + - "arn:aws:s3:::example-bucket" + - "arn:aws:s3:::example-bucket/*" +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.adoc index 2ece08f673..3e1464318f 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.adoc @@ -16,7 +16,7 @@ |MEDIUM |Subtype -|Build +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -28,18 +28,32 @@ === Description -Secrets in Kubernetes enables managing sensitive information such as passwords and API keys using Kubernetes-native APIs. -When creating a secret resource the Kubernetes API server stores it in *etcd* in a base64 encoded form. -For example, using kubectl create secret, EKS can encrypt etcd volumes at disk-level using AWS-managed encryption keys. -AWS encourages using envelope encryption to encrypt a key with another key. -The motivation is security best practice. -Applications store sensitive data as part of a defense in depth security strategy. -A master key is stored in AWS KMS that is then utilized for data key generation in the Kubernetes API server. -It is also used to encrypt/decrypt sensitive data stored in Kubernetes secrets. +This policy identifies AWS EKS clusters that do not have secrets encryption enabled. AWS EKS cluster secrets are, by default, stored unencrypted in the API server's underlying data store (etcd). Anyone with direct access to etcd or with API access can retrieve or modify the secrets. Using secrets encryption for your Amazon EKS cluster allows you to protect sensitive information such as passwords and API keys using Kubernetes-native APIs. It is recommended to enable secrets encryption to ensure its security and reduce the risk of unauthorized access or data breaches. === Fix - Buildtime +*Terraform* + +To fix this issue, ensure that the `encryption_config` property in the `aws_eks_cluster` resource includes `secrets` in its `resources` list. + +Example: + +[source,hcl] +---- +resource "aws_eks_cluster" "example" { + ... + encryption_config { ++ resources = ["secrets"] + provider { + key_arn = aws_kms_key.example.arn + } + } + ... +} +---- + + *CloudFormation* diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-317.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-317.adoc index 39ed7ef14e..ecddabf2b7 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-317.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-317.adoc @@ -36,7 +36,7 @@ This policy is checking for the activation of audit logging on an Elasticsearch To fix this issue, you need to enable the audit logs for the Elasticsearch Domain. This can be done by setting `log_publishing_options` in your AWS Elasticsearch resource configuration, then defining `audit_logs` with `enabled = true`. -[source,hcl] +[source,go] ---- resource "aws_elasticsearch_domain" "example" { domain_name = "example" @@ -60,3 +60,44 @@ resource "aws_cloudwatch_log_group" "example" { In the above secure code, `log_publishing_options` are activated where `log_type` is set to `AUDIT_LOGS` and `enabled = true`. This ensures that audit logging is enabled for the Elasticsearch domain which provides valuable insights on security and access patterns. Note that the logging destination is a CloudWatch log group which is specified by `cloudwatch_log_group_arn`. + +*CloudFormation* + +To fix this issue, ensure that the `Enabled` property under `AUDIT_LOGS` in the `LogPublishingOptions` configuration of the `AWS::Elasticsearch::Domain` or `AWS::OpenSearchService::Domain` resource is set to `true`. + +Example: + +[source,json] +---- +{ + "Resources": { + "MyElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "DomainName": "example-domain", + "LogPublishingOptions": { + "AUDIT_LOGS": { + "Enabled": true, + ... + } + }, + ... + } + } + } +} +---- + +[source,yaml] +---- +Resources: + MyOpenSearchDomain: + Type: AWS::OpenSearchService::Domain + Properties: + DomainName: example-domain + LogPublishingOptions: + AUDIT_LOGS: + Enabled: true + ... + ... +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.adoc index aecc73186d..a8ad5008c7 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.adoc @@ -32,18 +32,6 @@ These access logs can be used to analyze traffic patterns and troubleshoot security and operational issues. Access logging is an optional feature of ELB that is disabled by default. -=== Fix - Runtime - - -*AWS Console* - - -TBA - - -*CLI Command* - - === Fix - Buildtime diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-24.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-24.adoc index 4b7d2e57d1..c7cf326943 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-24.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-24.adoc @@ -27,17 +27,8 @@ === Description +This policy ensures that logging is enabled for Amazon Neptune clusters. Enabling logging for your Neptune clusters is critical for auditing and monitoring purposes. It helps in capturing database activities that can be useful for debugging and compliance requirements. This check validates that `enable_cloudwatch_logs_exports` includes the required log types. -These logs can be used to analyse traffic patterns and troubleshoot security and operational issues. -It is recommended that you set your cluster to optionally export its' logs to AWS Cloudwatch. - -=== Fix - Runtime - - -*AWS Console* - - -TBA === Fix - Buildtime diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-postgres-rds-as-aws-db-instance-has-query-logging-enabled.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-postgres-rds-as-aws-db-instance-has-query-logging-enabled.adoc index 8380480b92..e556235fbd 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-postgres-rds-as-aws-db-instance-has-query-logging-enabled.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-postgres-rds-as-aws-db-instance-has-query-logging-enabled.adoc @@ -15,7 +15,7 @@ |LOW |Subtype -|Build +|Run,Build |Frameworks |Terraform,TerraformPlan @@ -26,18 +26,35 @@ === Description +This policy identifies RDS Postgres clusters with query logging disabled. -=== Fix - Buildtime +In AWS RDS PostgreSQL, by default, the logging level captures login failures, fatal server errors, deadlocks, and query failures. To log data changes, we recommend enabling cluster logging for monitoring and troubleshooting. To obtain adequate logs, an RDS cluster should have log_statement and log_min_duration_statement parameters configured. + +It is a best practice to enable additional RDS cluster logging, which will help in data change monitoring and troubleshooting. +=== Fix - Buildtime -*Terraform* +*Terraform* +To enable query logging, configure the associated `aws_rds_cluster_parameter_group` resource with the appropriate logging parameters. +Example: [source,go] ---- -{ - "tbd", +resource "aws_rds_cluster_parameter_group" "example" { + name = "example-aurora-pg-logs" + family = "aurora-postgresql10" + + parameter { + name = "log_statement" + value = "all" + } + + parameter { + name = "log_min_duration_statement" + value = "1000" + } } ----- \ No newline at end of file +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.adoc index bf88295485..acdecd0e2c 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.adoc @@ -28,9 +28,7 @@ === Description -Enabling enhanced monitoring for Amazon RDS instances can provide you with additional visibility into the performance and health of your database instances. -With enhanced monitoring, you can retrieve real-time performance metrics for your RDS instances at intervals of 1 second, rather than the standard interval of 60 seconds. -This can be particularly useful for troubleshooting performance issues, identifying trends in resource utilization, and detecting potential issues before they become problems. +This policy ensures that enhanced monitoring is enabled for Amazon RDS instances. Enhanced monitoring provides detailed metrics in real-time for the operating system that your DB instance runs on, which helps in identifying and diagnosing performance issues. This policy checks whether the `MonitoringInterval` property is set to a valid value for enabling enhanced monitoring. === Fix - Buildtime @@ -50,3 +48,21 @@ resource "aws_db_instance" "default" { + monitoring_interval = 5 } ---- + + +*CloudFormation* + +To fix this issue, ensure that the `MonitoringInterval` property in the `AWS::RDS::DBInstance` resource is set to a valid value (1, 5, 10, 15, 30, or 60 seconds). + +Example: + +[source,yaml] +---- +Resources: + MyRDSInstance: + Type: AWS::RDS::DBInstance + Properties: + DBInstanceIdentifier: example-instance ++ MonitoringInterval: 60 + ... +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-1.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-1.adoc index ebb563e917..d41cb2488a 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-1.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-1.adoc @@ -10,14 +10,13 @@ | 05befc8b-c78a-45e9-98dc-c7fbaef580e7 |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/CloudtrailMultiRegion.py[CKV_AWS_67] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/CloudtrailMultiRegion.py[CKV_AWS_67] |Severity |INFO |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -27,73 +26,9 @@ === Description +This policy identifies the AWS accounts which do not have a CloudTrail with multi trail enabled and capturing all management events. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to turn on CloudTrail across different regions to get a complete audit trail of activities across various services. -AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. -The recorded information includes: the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. - -CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services such as CloudFormation. -The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. - -AWS CloudTrail provides additional multi-region security: - -* Ensuring that a multi-regions trail exists will detect unexpected activity occurring in otherwise unused regions. -* Ensuring that a multi-regions trail exists will enable Global Service Logging for a trail by default, capturing records of events generated on AWS global services. -* For a multi-regions trail, ensuring that management events are configured for all types of Read/Write operations, results in the recording of management actions performed on all resources in an AWS account. - -//// -=== Fix - Runtime - - -* AWS Console* - - -To enable global (multi-region) CloudTrail logging, follow these steps: - -. Log in to the AWS Management Console at https://console.aws.amazon.com/. - -. Open the https://console.aws.amazon.com/cloudtrail/ [Cloudtrail dashboard]. - -. On the left navigation pane, click * Trails*. - -. Click * Get Started Now*. - -. Click * Add new trail **. - -. Enter a trail name in the * Trail name* box. - -. Set * Apply trail to all regions* option to * Yes*. - -. Enter an S3 bucket name in the * S3 bucket* box. - -. Click * Create*. -+ -If one or more trail already exist, select the target trail to enable global logging, using the following steps: - -. Next to * Apply trail to all regions*, click the edit icon (pencil) and select * Yes*. - -. Click * Save*. - -. Next to * Management Events*, click the edit icon (pencil) and select * All* Read/Write Events. - -. Click * Save*. - - -* CLI Command* - - -To create a multi-region trail, use the following command: -[,bash] ----- -aws cloudtrail create-trail ---name & lt;trail_name> ---bucket-name & lt;s3_bucket_for_cloudtrail> ---is-multi-region-trail aws cloudtrail update-trail ---name & lt;trail_name> ---is-multi-region-trail ----- - -NOTE: Creating a CloudTrail with a CLI command, without providing any overriding options, configures Read/Write Management Events to All. -//// +NOTE: If you have Organization Trail enabled in your account, this policy can be disabled, or alerts generated for this policy on such an account can be ignored; as Organization Trail by default enables trail log for all accounts under that organization. === Fix - Buildtime @@ -101,44 +36,29 @@ NOTE: Creating a CloudTrail with a CLI command, without providing any overriding *CloudFormation* -* *Resource:* AWS::CloudTrail::Trail -* *Arguments:* Properties.IsMultiRegionTrail +To fix this issue, ensure that the `IsMultiRegionTrail` property in the `AWS::CloudTrail::Trail` resource is set to `true`. [source,yaml] ---- -{ - "Resources: + Resources: MyTrail: Type: AWS::CloudTrail::Trail Properties: ... -+ IsMultiRegionTrail: True", - -} ++ IsMultiRegionTrail: True ---- *Terraform* -* *Resource:* aws_cloudtrail -* *Arguments:* is_multi_region_trail - (Optional) Specifies whether the trail is created in the current region or in all regions. -Defaults to false. -* +To fix this issue, ensure that the `is_multi_region_trail` property in the `aws_cloudtrail` resource is set to `true`. [source,go] ---- -{ - "resource "aws_cloudtrail" "foobar" { - name = "tf-trail-foobar" - s3_bucket_name = aws_s3_bucket.foo.id - s3_key_prefix = "prefix" - include_global_service_events = false +resource "aws_cloudtrail" "foobar" { + ... + is_multi_region_trail = true -} - -", - } ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-19.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-19.adoc index 90f2e7b7f0..799d5830e2 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-19.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-19.adoc @@ -27,74 +27,58 @@ === Description +This policy ensures that Amazon DocumentDB (DocDB) clusters have logging enabled. Enabling logging helps you monitor and troubleshoot your DocDB clusters by providing visibility into database activity and operations. This policy checks whether the `EnableCloudwatchLogsExports` property includes the required log types (`profiler` and/or `audit`). -The events recorded by the AWS DocumentDB audit logs include: successful and failed authentication attempts, creating indexes or dropping a collection in a database within the DocumentDB cluster. -AWS CloudWatch logs are a service that monitors, stores and accesses your log files from a variety of sources within your AWS account. -When logging is enabled information such as Data Definition Language, authentication, authorization, and user management events are sent to AWS CloudWatch logs. -This information can be used to analyze, monitor and archive your Amazon DocumentDB auditing events for security and compliance requirements. - -//// -=== Fix - Runtime - - -* AWS Console* - - - -. Log in to the AWS Management Console at [https://console.aws.amazon.com/]. - -. Open the https://console.aws.amazon.com/docdb [Amazon DocumentDB]. - -. In the navigation pane, choose * Clusters*. - -. Specify the cluster that you want to modify by choosing the button to the left of the cluster's name. - -. Choose * Actions*, then click * Modify*. - -. In the Modify Cluster: & lt;cluster-name>+++ pane. -+++& lt;/cluster-name> - -. Go to* Log Exports** and enable exporting audit or profiler logs. - +=== Fix - Buildtime -* CLI Command* +*Terraform* -Use the modify-db-cluster operation to modify the specified cluster using the AWS CLI. +To fix this issue, ensure that the `enabled_cloudwatch_logs_exports` property in the `aws_docdb_cluster` resource includes one or both of the required log types (`profiler` and/or `audit`). +Example: -[source,shell] +[source,hcl] ---- -{ - "aws docdb modify-db-cluster \\ - --db-cluster-identifier sample-cluster \\ - --cloudwatch-logs-export-configuration '{"EnableLogTypes":["audit"]}'", +resource "aws_docdb_cluster" "example" { + ... + enabled_cloudwatch_logs_exports = ["profiler", "audit"] + ... } ---- -//// -=== Fix - Buildtime +*CloudFormation* -*Terraform* +To fix this issue, ensure that the `EnableCloudwatchLogsExports` property in the `AWS::DocDB::DBCluster` resource includes one or both of the required log types (`profiler` and/or `audit`). +Example: -* *Resource:* aws_docdb_cluster -* *Arguments:* enabled_cloudwatch_logs_exports - (Optional) List of log types to export to cloudwatch. -If omitted, no logs will be exported. -The following log types are supported: audit, profiler. - - -[source,go] +[source,json] ---- { - "resource "aws_docdb_cluster" "docdb" { - cluster_identifier = "my-docdb-cluster" - ... -+ enabled_cloudwatch_logs_exports = ["audit", "profiler"] + "Resources": { + "MyDocDBCluster": { + "Type": "AWS::DocDB::DBCluster", + "Properties": { + "DBClusterIdentifier": "example-cluster", + "EnableCloudwatchLogsExports": ["profiler", "audit"], + ... + } + } + } } +---- -", - -} +[source,yaml] ---- +Resources: + MyDocDBCluster: + Type: AWS::DocDB::DBCluster + Properties: + DBClusterIdentifier: example-cluster + EnableCloudwatchLogsExports: + - profiler + - audit + ... +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-7.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-7.adoc index dd92b2b192..4c61689b6c 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-7.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-7.adoc @@ -16,8 +16,7 @@ |INFO |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -28,71 +27,29 @@ === Description +Checks to ensure that CloudTrail logs are encrypted. AWS CloudTrail is a service that enables governance, compliance, operational & risk auditing of the AWS account. It is a compliance and security best practice to encrypt the CloudTrail data since it may contain sensitive information. -AWS CloudTrail is a web service that records AWS API calls for an account, and makes those logs available to users and resources in accordance with IAM policies. -AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. -It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. -CloudTrail logs can be configured to leverage server-side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. -We recommend that CloudTrail logs are configured to use SSE-KMS, providing additional confidentiality controls on log data. -A given user must have S3 read permission on the corresponding log bucket and must be granted decrypt permission by the CMK policy. - -//// -=== Fix - Runtime - - -* AWS Console* - - -To configure CloudTrail to use SSE-KMS using the Management Console, follow these steps: - -. Log in to the AWS Management Console at [https://console.aws.amazon.com/]. - -. Open the * https://console.aws.amazon.com/cloudtrail/ [Amazon CloudTrail console]*. - -. In the left navigation pane, click * Trails*. - -. Select a _Trail_. - -. Navigate to the * S3* section, click the edit button (pencil icon). - -. Click * Advanced*. - -. From the * KMS key Id* drop-down menu, select an existing CMK. -+ -NOTE: Ensure the CMK is located in the same region as the S3 bucket. - -. For CloudTrail as a service to encrypt and decrypt log files using the CMK provided, apply a KMS Key policy on the selected CMK. - -. Click * Save*. +=== Fix - Buildtime -. You will see a notification message stating that you need to have decrypt permissions on the specified KMS key to decrypt log files. -+ -Click * Yes*. +*Terraform* -* CLI Command* +To fix this issue, ensure that the `kms_key_id` property in the `aws_cloudtrail` resource is set to a valid KMS key ID or ARN. +Example: -To update the CloudTrail, use the following command: -[,bash] +[source,go] ---- -aws cloudtrail update-trail ---name & lt;trail_name> ---kms-id & lt;cloudtrail_kms_key> aws kms put-key-policy ---key-id & lt;cloudtrail_kms_key> ---policy & lt;cloudtrail_kms_key_policy> +resource "aws_cloudtrail" "example" { + ... ++ kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/example-key-arn" +} ---- -//// - -=== Fix - Buildtime *CloudFormation* - -* *Resource:* AWS::CloudTrail::Trail -* *Arguments:* Properties.KMSKeyId - +To fix this issue, ensure that the `KMSKeyId` property in the `AWS::CloudTrail::Trail` resource is set to a valid KMS key ID or ARN. [source,yaml] ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-291.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-291.adoc index 4bae8f02ee..1c27c22d5b 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-291.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-291.adoc @@ -19,7 +19,7 @@ |Build |Frameworks -|Terraform,TerraformPlan +|Terraform,TerraformPlan,CloudFormation |=== @@ -34,62 +34,70 @@ This policy is checking if Managed Stream for Kafka (MSK) nodes are set to priva * *Resource:* aws_msk_cluster * *Arguments:* broker_node_group_info.connectivity_info.public_access.type -To fix this issue, you need to modify the `broker_node_group_info` in the `aws_msk_cluster` resource in your Terraform code to ensure the MSK nodes are private. +To fix this issue, you should ensure that your MSK cluster configuration does not include public access. Below is an example of how to set this property in a Terraform configuration: [source,go] ---- -resource "aws_msk_cluster" "pass" { - cluster_name = "pike" - kafka_version = "3.2.0" - number_of_broker_nodes = 2 +resource "aws_msk_cluster" "example" { + cluster_name = "example-cluster" + kafka_version = "2.6.0" + number_of_broker_nodes = 3 + broker_node_group_info { - storage_info { - ebs_storage_info { - volume_size = 1100 - } - } - client_subnets = [ - "subnet-0562ef1d304b968f4", - "subnet-08895dbf9e060579b"] - instance_type = "kafka.t3.small" - security_groups = ["sg-002ed1a53dc5fe0ad"] + instance_type = "kafka.m5.large" + connectivity_info { public_access { -+ type = "DISABLED" ++ type = "DISABLED" } } } - client_authentication { - sasl { - scram = true - } - } - configuration_info { - arn = "" - revision = 0 - } - encryption_info { - encryption_at_rest_kms_key_arn = "arn:aws:kms:eu-west-2:680235478471:key/fd160011-126e-4bec-b370-c8765b5c6a37" - encryption_in_transit { - client_broker = "TLS" - in_cluster = true - } - } - open_monitoring { - prometheus { - jmx_exporter { - enabled_in_broker = false - } +} +---- + + +*CloudFormation* + +To fix this issue, you should ensure that your MSK cluster configuration does not include public access. Below is an example of how to set this property in a CloudFormation configuration: + +Example: - node_exporter { - enabled_in_broker = false +[source,json] +---- +{ + "Resources": { + "MyMSKCluster": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "example-cluster", + "KafkaVersion": "2.6.0", + "NumberOfBrokerNodes": 3, + "BrokerNodeGroupInfo": { + "InstanceType": "kafka.m5.large", + "ConnectivityInfo": { + "PublicAccess": { ++ "Type": "DISABLED" + } + } + } } } - - } - tags = { - pike = "permissions" } } ---- +[source,yaml] +---- +Resources: + MyMSKCluster: + Type: AWS::MSK::Cluster + Properties: + ClusterName: "example-cluster" + KafkaVersion: "2.6.0" + NumberOfBrokerNodes: 3 + BrokerNodeGroupInfo: + InstanceType: "kafka.m5.large" + ConnectivityInfo: + PublicAccess: ++ Type: "DISABLED" +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-63.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-63.adoc index 05b4d93447..489ccfd836 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-63.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-63.adoc @@ -10,14 +10,13 @@ | 45e37556-3d26-4cdb-8780-5b7fc5f60e01 |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py[CKV_AWS_174] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py[CKV_AWS_174] |Severity |LOW |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -28,30 +27,7 @@ === Description - -This policy identifies AWS CloudFront web distributions which are configured with TLS versions for HTTPS communication between viewers and CloudFront. -As a best practice, use TLSv1.1_2016 or later as the minimum protocol version in your CloudFront distribution security policies - -//// -=== Fix - Runtime - - -* AWS Console* - - - -. Sign in to the AWS console - -. Navigate to CloudFront Distributions Dashboard - -. Click on the reported distribution - -. On 'General' tab, Click on 'Edit' button - -. On 'Edit Distribution' page, Set 'Security Policy' to TLSv1.1_2016 or later as per your requirement. - -. Click on 'Yes, Edit' -//// +This policy identifies AWS CloudFront web distributions which are configured with TLS versions for HTTPS communication between viewers and CloudFront. As a best practice, use recommended TLSv1.2_2021 as the minimum protocol version in your CloudFront distribution security policies. === Fix - Buildtime @@ -74,3 +50,43 @@ resource "aws_cloudfront_distribution" "pass" { } } ---- + + +*CloudFormation* + +To fix this issue, ensure that the `MinimumProtocolVersion` property in the `ViewerCertificate` configuration of the `AWS::CloudFront::Distribution` resource is set to one of the approved TLS v1.2 versions (`TLSv1.2_2018`, `TLSv1.2_2019`, or `TLSv1.2_2021`). + +Example: + +[source,json] +---- +{ + "Resources": { + "MyCloudFrontDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "ViewerCertificate": { + "MinimumProtocolVersion": "TLSv1.2_2021", + ... + }, + ... + } + } + } + } +} +---- + +[source,yaml] +---- +Resources: + MyCloudFrontDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + ViewerCertificate: + MinimumProtocolVersion: TLSv1.2_2021 + ... + ... +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.adoc index 3da63e481b..b905dc97b8 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.adoc @@ -28,8 +28,7 @@ === Description -Ensure that Drop Invalid Header Fields feature is enabled for your Amazon Application Load Balancers (ALBs) in order to follow security best practices and meet compliance requirements. -If Drop Invalid Header Fields security feature is enabled, HTTP headers with header fields that are not valid are removed by the Application Load Balancer instead of being routed to the associated targets. +This policy ensures that Application Load Balancers (ALBs) are configured to drop HTTP headers that do not conform to RFC specifications. This improves security by preventing header injection attacks and other potential misuse of faulty headers. === Fix - Buildtime @@ -44,10 +43,50 @@ If Drop Invalid Header Fields security feature is enabled, HTTP headers with hea [source,go] ---- resource "aws_alb" "test_success" { - name = "test-lb-tf" - internal = false + name = "test-lb-tf" + internal = false load_balancer_type = "network" subnets = aws_subnet.public.*.id + drop_invalid_header_fields = true - } +} +---- + +*CloudFormation* + +To mitigate this issue, ensure the `LoadBalancerAttributes` parameter in the `AWS::ElasticLoadBalancingV2::LoadBalancer` resource includes the attribute `routing.http.drop_invalid_header_fields.enabled` set to `true`. + +Example: + +[source,json] +---- +{ + "Resources": { + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + ... + "Type": "application", + "LoadBalancerAttributes": [ + { + "Key": "routing.http.drop_invalid_header_fields.enabled", + "Value": "true" + } + ] + } + } + } +} +---- + +[source,yaml] +---- +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + ... + Type: application + LoadBalancerAttributes: + - Key: routing.http.drop_invalid_header_fields.enabled + Value: "true" ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29.adoc index 68386b5f23..100cb65bce 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29.adoc @@ -10,14 +10,13 @@ | 81c50f65-faa1-4d66-b8e2-d26eaeb08447 |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ALBListenerHTTPS.py[CKV_AWS_2] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/cloudformation/checks/resource/aws/ALBListenerHTTPS.py[CKV_AWS_2] |Severity |MEDIUM |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -28,54 +27,40 @@ === Description +This policy identifies Elastic Load Balancers v2 (ELBv2) listener that are configured to accept connection requests over HTTP instead of HTTPS. As a best practice, use the HTTPS protocol to encrypt the communication between the application clients and the application load balancer. -An internet-facing AWS ELB/ALB is a public resource on your network that is completely exposed to the internet. -It has a publicly resolvable DNS name, that can accept HTTP(S) requests from clients over the Internet. -External actors gaining knowledge to this information can potentially attempt to access the EC2 instances that are registered with the load balancer. -When an AWS ALB has no HTTPS listeners, front-end connections between the web clients and the load balancer could become targeted by man-in-the-middle attacks and traffic interception techniques. - -//// -=== Fix - Runtime - - -* AWS Console* - - - -. Log in to the AWS Management Console at https://console.aws.amazon.com/. - -. Open the http://console.aws.amazon.com/ec2/ [Amazon EC2 console]. - -. Navigate to * LOAD BALANCING*, select * Load Balancers*. - -. Select a _load balancer_, then select * Listeners*. +=== Fix - Buildtime -. To add a _listener_, select * Add Listener*. -+ +*Terraform* -.. For Protocol : port, select HTTPS and keep the default port or type a different port. -+ +To fix this issue, ensure that the `protocol` property in the `aws_lb_listener` or `aws_alb_listener` resource is set to "HTTPS", "TLS", "TCP", "UDP", "TCP_UDP", or if using `HTTP`, redirect it to `HTTPS`. -.. For Default actions, do one of the following: Choose Add action, Forward to and choose a target group. -+ - Choose Add action, Redirect to and provide the URL for the redirect. -+ - Choose Add action, Return fixed response and provide a response code and optional response body. -+ -To save the action, select the * checkmark* icon. -+ +Example: -.. For Security policy, it is recommended that you keep the default security policy. -+ +[source,hcl] +---- +resource "aws_lb_listener" "example_https" { + ... + protocol = "HTTPS" +} +---- -.. For Default SSL certificate, do one of the following: If you created or imported a _certificate_ using * AWS Certificate Manager*, select * From ACM* and select the _certificate_. -+ - If you uploaded a _certificate_ using * IAM*, select * From IAM* and select the _certificate_. +[source,hcl] +---- +resource "aws_lb_listener" "example_http" { + ... + protocol = "HTTP" -. Click * Save*. -//// + default_action { + type = "redirect" -=== Fix - Buildtime + redirect { + ... + protocol = "HTTPS" + } + } +} +---- *CloudFormation* diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31.adoc index 4e2b98779e..9c882420e7 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31.adoc @@ -27,30 +27,7 @@ === Description - -Descriptions can be up to 255 characters long and can be set and viewed from the AWS Management Console, AWS Command Line Interface (CLI), and the AWS APIs. -We recommend you add descriptive text to each of your Security Group Rules clarifying each rule's goals, this helps prevent developer errors. - -//// -=== Fix - Runtime - - -* AWS Console* - - - -. Log in to the AWS Management Console at https://console.aws.amazon.com/. - -. Open the http://console.aws.amazon.com/vpc/home [Amazon VPC console]. - -. Select * Security Groups*. - -. Select * Create Security Group*. - -. Select a _Security Group_ and review all of the descriptions. - -. To modify the rules and descriptions, click * Edit*. -//// +This policy ensures that each security group rule has a description to help identify the purpose of the rule. Descriptions improve the manageability and understanding of security group rules. === Fix - Buildtime @@ -78,3 +55,52 @@ resource "aws_security_group" "examplea" { } } ---- + +*CloudFormation* + +To mitigate this issue, ensure that the `Description` field is added to all security group rules in `AWS::EC2::SecurityGroup`, `AWS::EC2::SecurityGroupIngress`, and `AWS::EC2::SecurityGroupEgress` resources. + +Example: + +[source,json] +---- +{ + "Resources": { + "MySecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "My security group", + "SecurityGroupIngress": [ + { + ... ++ "Description": "Allow HTTP traffic" + } + ], + "SecurityGroupEgress": [ + { + ... ++ "Description": "Allow HTTPS traffic" + } + ] + } + } + } +} +---- + +[source,yaml] +---- +Resources: + MySecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: My security group + SecurityGroupIngress: + - IpProtocol: tcp + ... ++ Description: Allow HTTP traffic + SecurityGroupEgress: + - IpProtocol: tcp + ... ++ Description: Allow HTTPS traffic +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.adoc index 5a99c6a25f..37c79c5855 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.adoc @@ -9,7 +9,7 @@ | b3c159b3-00cb-42f3-8841-14e434421947 |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py[CKV_AWS_173] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py[CKV_AWS_173] |Severity |LOW @@ -26,50 +26,70 @@ === Description -You can use environment variables to adjust your function's behavior without updating code. -An environment variable is a pair of strings that is stored in a function's version-specific configuration. -The Lambda runtime makes environment variables available to your code and sets additional environment variables that contain information about the function and invocation request. -Environment variables are not evaluated prior to the function invocation. -Any value you define is considered a literal string and not expanded. -Perform the variable evaluation in your function code. +This policy checks the encryption settings for environment variables in AWS Lambda functions. It's essential to use a KMS key for encrypting environment variables to protect sensitive data. If environment variables are provided, a KMS key must be specified. This policy checks whether the `kms_key_arn` is set when environment variables are used in a Lambda function. === Fix - Buildtime -*Terraform* +*Terraform* +To fix this issue, ensure that when environment variables are specified in the `aws_lambda_function` resource, the `kms_key_arn` property is also set to a valid KMS key ARN. -aws_lambda_function -* *Resource:* aws_lambda_function -* *Arguments:* kms_key_arn - +Example: [source,go] ---- -{ - "resource "aws_lambda_function" "test_lambda" { - filename = "lambda_function_payload.zip" - function_name = "lambda_function_name" - role = aws_iam_role.iam_for_lambda.arn - handler = "index.test" - - # The filebase64sha256() function is available in Terraform 0.11.12 and later - # For Terraform 0.11.11 and earlier, use the base64sha256() function and the file() function: - # source_code_hash = "${base64sha256(file("lambda_function_payload.zip"))}" - source_code_hash = filebase64sha256("lambda_function_payload.zip") - - runtime = "nodejs12.x" - -+ kms_key_arn = "ckv_km" - +resource "aws_lambda_function" "example" { + ... environment { variables = { - foo = "bar" + EXAMPLE_VAR = "example-value" } - } + + kms_key_arn = "arn:aws:kms:us-west-2:123456789012:key/example-key-arn" } +---- + + +*CloudFormation* + +To fix this issue, ensure that when environment variables are specified in the `AWS::Lambda::Function` or `AWS::Serverless::Function` resource, the `KmsKeyArn` property is also set to a valid KMS key ARN. -", +Example for AWS Lambda Function: + +[source,json] +---- +{ + "Resources": { + "MyLambdaFunction": { + "Type": "AWS::Lambda::Function", + "Properties": { + ... + "Environment": { + "Variables": { + "EXAMPLE_VAR": "example-value" + } + }, ++ "KmsKeyArn": "arn:aws:kms:us-west-2:123456789012:key/example-key-arn", + ... + } + } + } } ---- + +Example for AWS Serverless Function: + +[source,yaml] +---- +Resources: + MyServerlessFunction: + Type: AWS::Serverless::Function + Properties: + ... + Environment: + Variables: + EXAMPLE_VAR: example-value ++ KmsKeyArn: arn:aws:kms:us-west-2:123456789012:key/example-key-arn +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-3-enable-encryptionatrest.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-3-enable-encryptionatrest.adoc index d1542c3195..126957f5fc 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-3-enable-encryptionatrest.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-3-enable-encryptionatrest.adoc @@ -16,8 +16,7 @@ |LOW |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -28,32 +27,28 @@ === Description +This policy identifies Elasticsearch domains for which encryption is disabled. Encryption of data at rest is required to prevent unauthorized users from accessing the sensitive information available on your Elasticsearch domains components. This may include all data of file systems, primary and replica indices, log files, memory swap files and automated snapshots. The Elasticsearch uses AWS KMS service to store and manage the encryption keys. It is highly recommended to implement encryption at rest when you are working with production data that have sensitive information, to protect from unauthorized access. -Encryption of data at rest is a security feature that helps prevent unauthorized access to your data. -This feature uses AWS Key Management Service (AWS KMS) to store and manage encryption keys, and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption. -If enabled, the feature encrypts the domain's indices, logs, swap files, all data in the application directory, and automated snapshots. -We recommend you implement encryption at rest in order to protect a data store containing sensitive information from unauthorized access, and fulfill compliance requirements. - -//// -=== Fix - Runtime - - -* Procedure* - +=== Fix - Buildtime -By default, domains do not encrypt data at rest, and you cannot configure existing domains to use EncryptionAtRest. -To enable EncryptionAtRest, you must create a new domain and migrate Elasticsearch to that domain. -You will also need, at minimum, read-only permissions to AWS KMS. -To create a new domain sign in to your AWS Console and select the Elasticsearch service (under Analytics), follow these steps: -. Select * Create a new domain*. +*Terraform* -. Change the default * Encryption* setting to * enabled*. +* *Resource:* aws_elasticsearch_domain +* *Arguments:* encrypt_at_rest -. Continue configuring your cluster. -//// +To fix this issue, you should ensure that your Elasticsearch domain configuration has the `encrypt_at_rest` property enabled. Below is an example of how to set this property in a Terraform configuration: -=== Fix - Buildtime +[source,go] +---- +resource "aws_elasticsearch_domain" "example" { + domain_name = "example" + + encrypt_at_rest { + enabled = true + } +} +---- *CloudFormation* @@ -62,16 +57,36 @@ To create a new domain sign in to your AWS Console and select the Elasticsearch * *Resource:* AWS::Elasticsearch::Domain * *Argument:* Properties.EncryptionAtRestOptions.Enabled +To mitigate this issue, ensure that the `EncryptAtRestOptions` property in the `AWS::Elasticsearch::Domain` resource is properly configured to enable encryption at rest. -[source,yaml] +Example: + +[source,json] ---- { - "Resources: - ElasticsearchDomain: + "Resources": { + "ExampleElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "DomainName": "example", + "EncryptAtRestOptions": { + "Enabled": true + } + ... + } + } + } +} +---- + +[source,yaml] +---- +Resources: + ExampleElasticsearchDomain: Type: AWS::Elasticsearch::Domain Properties: + DomainName: example + EncryptAtRestOptions: + Enabled: true ... - EncryptionAtRestOptions: -+ Enabled: True", -} ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-5.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-5.adoc index b98ffb8a12..51893b6411 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-5.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-5.adoc @@ -10,14 +10,13 @@ | f978f4db-d9b9-41df-bf4f-d8ce52019a9c |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py[CKV_AWS_6] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/cloudformation/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py[CKV_AWS_6] |Severity |MEDIUM |Subtype |Build -//'Run |Frameworks |CloudFormation, Terraform, TerraformPlan, Serverless @@ -32,24 +31,23 @@ The AWS Elasticsearch Service allows you to host sensitive workloads with node-to-node encryption using Transport Layer Security (TLS) for all communications between instances in a cluster. Node-to-node encryption ensures that any data sent to the Amazon Elasticsearch Service domain over HTTPS remains encrypted in-flight while it is being distributed and replicated between the nodes. -//// -=== Fix - Runtime - - -* AWS Console* - - -To enable the feature, you must create another domain and migrate your data. -Using the AWS Console, follow these steps: +=== Fix - Buildtime -. Log in to the AWS Management Console at https://console.aws.amazon.com/. +*Terraform* -. Navigate to the * Analytics* section, select * Elasticsearch Service*. +To fix this issue, ensure that the `node_to_node_encryption` block in the `aws_elasticsearch_domain` or `aws_opensearch_domain` resource is configured with `enabled` set to `true`. -. To enable _node-to-node encryption_ when you configure a new cluster, select * Node-to-node encryption*. -//// +Example: -=== Fix - Buildtime +[source,go] +---- +resource "aws_elasticsearch_domain" "example" { + ... + node_to_node_encryption { + enabled = true + } +} +---- *CloudFormation* diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-6.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-6.adoc index c38adba1eb..455beef0c9 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-6.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/elastisearch-policies/elasticsearch-6.adoc @@ -16,8 +16,7 @@ |MEDIUM |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -26,37 +25,29 @@ -=== Description +=== Description +This policy identifies Elasticsearch domains that are not configured with HTTPS. Amazon Elasticsearch domains allow all traffic to be submitted over HTTPS, ensuring all communications between application and domain are encrypted. It is recommended to enable HTTPS so that all communication between the application and all data access goes across an encrypted communication channel to eliminate man-in-the-middle attacks. -Amazon Elasticsearch Service (Amazon ES) allows you to build applications without setting up and maintaining your own search cluster on Amazon EC2. -Amazon ES you can configure your domains to require HTTPS traffic, ensuring that communications between your clients and your domain are encrypted. -We recommend you configure the minimum required TLS version to *accept*. -This option is a useful additional security control to ensure that your clients are not misconfigured. - -//// -=== Fix - Runtime - - -* AWS Console* - - -To change the policy using the AWS Console, follow these steps: - -. Log in to the AWS Management Console at https://console.aws.amazon.com/. - -. Open the https://console.aws.amazon.com/es/home [Amazon Elasticsearch console]. +=== Fix - Buildtime -. Open a domain. +*Terraform* -. Select * Actions* > * Modify encryptions* +* *Resource:* aws_elasticsearch_domain, aws_opensearch_domain +* *Arguments:* domain_endpoint_options -. Select _Require HTTPS for all traffic to the domain_. +To fix this issue, you should ensure that your Elasticsearch or OpenSearch domain enforces HTTPS by setting the `enforce_https` option to `true` in the `domain_endpoint_options` block as shown below: -. Click * Submit*. -//// +[source,go] +---- +resource "aws_elasticsearch_domain" "example" { + domain_name = "example-domain" -=== Fix - Buildtime + domain_endpoint_options { ++ enforce_https = true + } +} +---- *CloudFormation* diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-1-ecr-repositories-not-public.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-1-ecr-repositories-not-public.adoc index f5d9535b33..52f3a280a0 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-1-ecr-repositories-not-public.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-1-ecr-repositories-not-public.adoc @@ -10,14 +10,13 @@ | 9f40d30b-97fd-4ec5-827b-f74b50a312b9 |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/ECRPolicy.py[CKV_AWS_32] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/ECRPolicy.py[CKV_AWS_32] |Severity |MEDIUM |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -28,36 +27,40 @@ === Description +This policy identifies AWS Private ECR repositories that have overly permissive registry policies. An ECR(Elastic Container Registry) repository is a collection of Docker images available on the AWS cloud. These images might contain sensitive information which should be restricted to unauthorized users. -AWS ECR is a managed Docker registry service that simplifies Docker container image management. -The ECR repository is a collection of Docker images available on AWS. -Access control to ECR repositories is governed using resource-based policies. -A public ECR repository can expose internal Docker images that contain confidential business logic. -We recommend you do not allow unrestricted public access to ECR repositories to help avoid data leakage. -=== Fix - Runtime - - -*AWS Console* - - -To change the policy using the AWS Console, follow these steps: - -. Log in to the AWS Management Console at https://console.aws.amazon.com/. - -. Open the https://console.aws.amazon.com/ecs/[Amazon ECS console]. - -. Select *Amazon ECR **, then select **Repositories*. +=== Fix - Buildtime -. Click the image repository that you want to configure. -+ -To modify the permission policy, select *Permissions*. +*Terraform* -. In the *Permission statements*, select the _policy statement_ that has *Effect **set to **Allow* and *Principal* set to *****. +To fix this issue, ensure that the `policy` property in the `aws_ecr_repository_policy` resource does not allow public access. -. To select a restricted access policy, click *Edit* and make changes. +Example: -=== Fix - Buildtime +[source,go] +---- +resource "aws_ecr_repository_policy" "example" { + repository = aws_ecr_repository.example.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage" + ] + Resource = aws_ecr_repository.example.arn + Principal = { + AWS = "arn:aws:iam::123456789012:role/your-role" + } + } + ] + }) +} +---- *CloudFormation* diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-11.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-11.adoc index d8899ad40a..2c8022de52 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-11.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-11.adoc @@ -10,14 +10,13 @@ | be6e507b-b1e5-4043-a8d7-94df078f81e6 |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/AmazonMQBrokerPublicAccess.py[CKV_AWS_69] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/cloudformation/checks/resource/aws/AmazonMQBrokerPublicAccess.py[CKV_AWS_69] |Severity |LOW |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -29,64 +28,39 @@ === Description -Brokers created without public accessibility cannot be accessed from outside of your VPC. -This greatly reduces your broker's susceptibility to DDoS attacks from the internet. -Public Amazon MQ brokers can be accessed directly, outside of a VPC, allowing every EC2 on the Internet to reach your brokers through their public endpoints. -This can increase the opportunity for malicious activity such as cross-site scripting and clickjacking attacks. +This policy identifies the AWS MQ brokers which are publicly accessible. It is advisable to use MQ brokers privately only from within your AWS Virtual Private Cloud (VPC). Ensure that the AWS MQ brokers provisioned in your AWS account are not publicly accessible from the Internet to avoid sensitive data exposure and minimize security risks. -//// -=== Fix - Runtime - - -* AWS Console* - - -To change the policy using the AWS Console, follow these steps: - -. Log in to the AWS Management Console at https://console.aws.amazon.com/. +=== Fix - Buildtime -. Open the https://console.aws.amazon.com/amazon-mq/ [Amazon MQ console]. -. In the * Select deployment and storage* page, in the * Deployment mode and storage type* section configure your MQ based on your specs. +*Terraform* -. In the * Network and security * section, configure your broker's connectivity and select the * Public accessibility* of your broker. -+ -Disabling public accessibility makes the broker accessible only within your VPC. -//// +To fix this issue, ensure that the `publicly_accessible` property in the `aws_mq_broker` resource is set to `false`. -=== Fix - Buildtime +Example: +[source,go] +---- +resource "aws_mq_broker" "example" { + ... + publicly_accessible = false + ... +} -*Terraform* +*CloudFormation* -* *Resource:* aws_mq_broker -* *Arguments:* publicly_accessible - (Optional) Whether to enable connections from applications outside of the VPC that hosts the broker's subnets. +To fix this issue, ensure that the `PubliclyAccessible` property in the `AWS::AmazonMQ::Broker` resource is set to `false`. +Example: -[source,go] +[source,yaml] ---- -{ - "resource "aws_mq_broker" "example" { - broker_name = "example" -+ publicly_accessible = true - configuration { - id = aws_mq_configuration.test.id - revision = aws_mq_configuration.test.latest_revision - } - - - engine_type = "ActiveMQ" - engine_version = "5.15.0" - host_instance_type = "mq.t2.micro" - security_groups = [aws_security_group.test.id] - - user { - username = "ExampleUser" - password = "MindTheGap" - } - -} -", -} +Resources: + MyMQBroker: + Type: AWS::AmazonMQ::Broker + Properties: + ... + PubliclyAccessible: false + ... ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-19.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-19.adoc index 7e6b9a1d54..ce0d798d7b 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-19.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-19.adoc @@ -10,7 +10,7 @@ | 39bced69-0875-4e10-a8e6-bffb1c5b3319 |Checkov ID -| https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/S3BlockPublicACLs.py[CKV_AWS_53] +| https://github.com/bridgecrewio/checkov/tree/main/checkov/terraform/checks/resource/aws/S3BlockPublicACLs.py[CKV_AWS_53] |Severity |MEDIUM @@ -27,13 +27,7 @@ === Description - -Amazon S3 buckets and objects are configured to be private. -They are protected by default, with the option to use Access Control Lists (ACLs) and bucket policies to grant access to other AWS accounts and to anonymous public requests. -The *Block public access to buckets and objects granted through new access control lists (ACLs)* option does not allow the use of new public bucket or object ACLs, ensuring future PUT requests that include them will fail. -This setting helps protect against future attempts to use ACLs to make buckets or objects public. -When an application tries to upload an object with a public ACL this setting will be blocked for public access. -We recommend you set S3 Bucket BlockPublicAcls to *True*. +This policy ensures that Amazon S3 buckets have the `block public ACLs` setting enabled. Blocking public ACLs helps prevent the exposure of sensitive data by ensuring that public access permissions are not granted through ACLs. This setting is crucial for maintaining the security and privacy of the data stored in S3 buckets. This policy checks whether the `BlockPublicAcls` option is enabled in the `PublicAccessBlockConfiguration` of S3 buckets. === Fix - Buildtime @@ -41,18 +35,48 @@ We recommend you set S3 Bucket BlockPublicAcls to *True*. *Terraform* -* *Resource:* aws_s3_bucket_public_access_block Argument: block_public_acls - - -[source,text] +[source,go] ---- -resource "aws_s3_bucket_public_access_block" "artifacts" { - count = var.bucketname == "" ? 1 : 0 - bucket = aws_s3_bucket.artifacts[0].id +resource "aws_s3_bucket_public_access_block" "example" { + ... + block_public_acls = true - block_public_policy = true - restrict_public_buckets = true - ignore_public_acls=true } ---- + + +*CloudFormation* + +To fix this issue, ensure that the `BlockPublicAcls` property in the `PublicAccessBlockConfiguration` of the `AWS::S3::Bucket` resource is set to `true`. + +Example: + +[source,json] +---- +{ + "Resources": { + "MyS3Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "example-bucket", + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + ... + } + } + } + } +} +---- + +[source,yaml] +---- +Resources: + MyS3Bucket: + Type: AWS::S3::Bucket + Properties: + BucketName: example-bucket + PublicAccessBlockConfiguration: + BlockPublicAcls: true + ... +---- \ No newline at end of file diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-20.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-20.adoc index a2f9cfe8aa..71a0af9c84 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-20.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-20.adoc @@ -28,9 +28,8 @@ === Description -Amazon S3 Block Public Access policy works at the account level and on individual buckets, including those created in the future. -It provides the ability to block existing public access, whether specified by an ACL or a policy, and ensures public access is not granted to newly created items. -If an AWS account is used to host a data lake or another business application, blocking public access will serve as an account-level guard against accidental public exposure. +This policy ensures that Amazon S3 buckets have the `block public policy` setting enabled. Enabling this setting ensures that public bucket policies cannot be set, which helps prevent unauthorized access to the data stored in the S3 bucket. This policy checks whether the `BlockPublicPolicy` option is enabled in the `PublicAccessBlockConfiguration` of S3 buckets. + === Fix - Buildtime @@ -38,18 +37,32 @@ If an AWS account is used to host a data lake or another business application, b *Terraform* -* *Resource:* aws_s3_bucket_public_access_block Argument: block_public_policy +To fix this issue, ensure that the `block_public_policy` property in the `aws_s3_bucket_public_access_block` resource is set to `true`. -[source,text] +[source,go] ---- resource "aws_s3_bucket_public_access_block" "artifacts" { - count = var.bucketname == "" ? 1 : 0 - bucket = aws_s3_bucket.artifacts[0].id - - block_public_acls = true + ... + block_public_policy = true - restrict_public_buckets = true - ignore_public_acls=true } ---- + + +*CloudFormation* + +To fix this issue, ensure that the `BlockPublicPolicy` property in the `PublicAccessBlockConfiguration` of the `AWS::S3::Bucket` resource is set to `true`. + +Example: + +[source,yaml] +---- +Resources: + MyS3Bucket: + Type: AWS::S3::Bucket + Properties: + BucketName: example-bucket + PublicAccessBlockConfiguration: ++ BlockPublicPolicy: true + ... +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging.adoc index 8c4d5d1c8d..7747deda3e 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging.adoc @@ -16,8 +16,7 @@ |INFO |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -29,95 +28,60 @@ === Description -Access logging provides detailed audit logging for all objects and folders in an S3 bucket. +Checks for S3 buckets without access logging turned on. Access logging allows customers to view complete audit trail on sensitive workloads such as S3 buckets. It is recommended that Access logging is turned on for all S3 buckets to meet audit & compliance requirement -//// -=== Fix - Runtime - - -* AWS Console* - - -To change the policy using the AWS Console, follow these steps: - -. Lo gin to the AWS Management Console at https://console.aws.amazon.com/. - -. Open the https://console.aws.amazon.com/s3/[Amazon S3 console]. - -. Navigate to the _Bucket name list_. - -. To enable server access logging for a bucket, select the name of the bucket. +=== Fix - Buildtime -. Click * Properties*. -. Click * Server access logging*. +*Terraform* -. Click * Enable Logging*. -+ -NOTE: For the target, select the name of the bucket that you want to receive the log record objects. * The target bucket must be in the same * Region* as the source bucket and must not have a default retention period configuration. +* *Resource:* aws_s3_bucket, aws_s3_bucket_logging -. Click * Save*. +[source,go] +---- ++ resource "aws_s3_bucket_logging" "example" { ++ bucket = aws_s3_bucket.example.id ++ ++ target_bucket = aws_s3_bucket.log_bucket.id ++ target_prefix = "log/" ++ } +---- -* CLI Command* +*CloudFormation* -The example below sets the logging policy for MyBucket. -The AWS user _bob@example.com_ will have full control over the log files, no one else has any access. +To fix this issue, you should ensure that your S3 bucket configuration includes the `LoggingConfiguration` property. Below is an example of how to set this property in a CloudFormation configuration: +Example: -[source,python] +[source,json] ---- { - "### First, grant S3 permission with put-bucket-acl: -aws s3api put-bucket-acl --bucket MyBucket --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery - -### Then apply the logging policy: -aws s3api put-bucket-logging --bucket MyBucket --bucket-logging-status file://logging.json - -### logging.json is a JSON document in the current folder that contains the logging policy: -{ - "LoggingEnabled": { - "TargetBucket": "MyBucket", - "TargetPrefix": "MyBucketLogs/", - "TargetGrants": [ - { - "Grantee": { - "Type": "AmazonCustomerByEmail", - "EmailAddress": "bob@example.com" - }, - - "Permission": "FULL_CONTROL" + "Resources": { + "MyS3Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "my-bucket", + "LoggingConfiguration": { + "DestinationBucketName": "my-log-bucket", + "LogFilePrefix": "log/" + } } - - ] - + } } - } -", - -} ----- ---- -//// - -=== Fix - Buildtime - - -*Terraform* - -* *Resource:* aws_s3_bucket, aws_s3_bucket_logging - - -[source,go] +[source,yaml] ---- -+ resource "aws_s3_bucket_logging" "example" { -+ bucket = aws_s3_bucket.example.id -+ -+ target_bucket = aws_s3_bucket.log_bucket.id -+ target_prefix = "log/" -+ } +Resources: + MyS3Bucket: + Type: AWS::S3::Bucket + Properties: + BucketName: "my-bucket" + LoggingConfiguration: + DestinationBucketName: "my-log-bucket" + LogFilePrefix: "log/" ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.adoc index 5f44284da4..1070170eac 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.adoc @@ -16,8 +16,7 @@ |LOW |Subtype -|Build -//, Run +|Build, Run |Frameworks |CloudFormation,Terraform,TerraformPlan,Serverless @@ -29,39 +28,7 @@ === Description -S3 versioning is a managed data backup and recovery service provided by AWS. -When enabled it allows users to retrieve and restore previous versions of their buckets. -S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten. - -//// -=== Fix - Runtime - - -* AWS Console* - - -To change the policy using the AWS Console, follow these steps: - -. Log in to the AWS Management Console at https://console.aws.amazon.com/. - -. Open the https://console.aws.amazon.com/s3/ [Amazon S3 console]. - -. Select the bucket that you want to configure. - -. Select the * Properties* tab. - -. Navigate to the * Permissions* section. - -. Select * Edit bucket policy*. -+ -If the selected bucket does not have an _access policy_, click * Add bucket policy*. - -. Select the * Versioning* tab from the * Properties* panel, and expand the * feature configuration* section. - -. To activate object versioning for the selected bucket, click * Enable Versioning*, then click * OK*. -+ -The * feature status* should change to * versioning is currently enabled on this bucket*. -//// +This policy identifies the S3 buckets which have Object Versioning disabled. S3 Object Versioning is an important capability in protecting your data within a bucket. Once you enable Object Versioning, you cannot remove it; you can suspend Object Versioning at any time on a bucket if you do not wish for it to persist. It is recommended to enable Object Versioning on S3. === Fix - Buildtime @@ -69,8 +36,7 @@ The * feature status* should change to * versioning is currently enabled on this *Terraform* -* *Resource:* aws_s3_bucket, aws_s3_bucket_versioning - +To fix this issue, ensure that `aws_s3_bucket` resources either has `versioning.enabled` set to `true` or is connected to an `aws_s3_bucket_versioning` block with `versioning_configuration.status` set to `Enabled`. [source,go] ---- @@ -82,3 +48,22 @@ The * feature status* should change to * versioning is currently enabled on this + } + } ---- + + +*CloudFormation* + +To fix this issue, ensure that the `VersioningConfiguration` property in the `AWS::S3::Bucket` resource is configured with `Status` set to `Enabled`. + +Example: + +[source,yaml] +---- +Resources: + MyS3Bucket: + Type: AWS::S3::Bucket + Properties: + BucketName: example-bucket + VersioningConfiguration: + Status: Enabled + ... +----