search

GSA-TTS / tts-tech-operations

Home of the TTS Technology Portfolio team
https://handbook.tts.gsa.gov/tech-operations/
Other
5 stars 0 forks source link

tfsec to Trivy Migration #1711

Open nateprice18f opened 2 months ago

nateprice18f commented 2 months ago

https://github.com/aquasecurity/tfsec

### Research
- [ ] Determine if Trivy can be used in place of TFSec or something else
### CircleCi Config
- [ ] Scan failing on aws-s3-enable-bucket-encryption due to old TF version used as base.
- [ ] Exclude used to address TFSec issue
nateprice18f commented 2 months ago 
  ID aws-s3-enable-bucket-encryption
  Impact The bucket objects could be read if compromised
  Resolution Configure bucket encryption

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.6/checks/aws/s3/enable-bucket-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption

TFSec doc refer to S3 encryption in the main S3 resource block.

Secure Example
The following example will pass the aws-s3-enable-bucket-encryption check.

 resource "aws_s3_bucket" "good_example" {
   bucket = "mybucket"

   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
         kms_master_key_id = "arn"
         sse_algorithm     = "aws:kms"
       }
     }
   }
 }

Current TF AWS Provider places S3 encryption in it own resource block. server_side_encryption_configuration - (Optional, Deprecated) Configuration of server-side encryption configuration. See Server Side Encryption Configuration below for details. Terraform will only perform drift detection if a configuration value is provided. Use the resource aws_s3_bucket_server_side_encryption_configuration instead.