Improve security configurations

[yi2020]

Ran Cloudrail against the TF code in this repo and found a few issues worth fixing (note, the line numbers are off because I made some changes to the code to get it to run in my env):

Rule: Ensure target groups are not using HTTP
Description: Best practices encourage encryption of communication between each two entities in your environment. This includes between a load balancer and the servers it is connected to.
Remediation Steps - Cloud Console: Follow the guide at https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-target-group.html to configure HTTPS Protocol.
Remediation Steps - Terraform: For the aws_lb_target_group resource, set the protocol argument to use HTTPS.
 - 1 Resources Exposed:
-----------------------------------------------
   - Exposed Resource: [aws_lb_target_group.this.arn] (Not found in TF)
     Violating Resource: [aws_lb_target_group.this]  (main.tf:138)

     Evidence:
         Load Balancer
             | The Load Balancer Target Group aws_lb_target_group.this is set to use HTTP with its targets
             | This exposes traffic between the load balancer and its targets

-----------------------------------------------
Rule: Ensure Cloudwatch Log Groups being created are set to be encrypted at rest using KMS CMK
Description: Cloudrail will review the Cloudwatch Log Groups being created in your environment. If a Log Group is not set to encrypt at rest using KMS CMK, Cloudrail will highlight it as a violation. This rule will only flag a violation for resources that are not yet created.
Remediation Steps - Cloud Console: Follow the guide at https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html to set encryption at rest using a customer-managed CMK.
Remediation Steps - Terraform: For the aws_cloudwatch_log_group resource, set kms_key_id argument to use a customer-managed CMK ARN.
 - 1 Resources Exposed:
-----------------------------------------------
   - Exposed Resource: [aws_cloudwatch_log_group.jenkins_controller_log_group] (ecs.tf:40)
     Violating Resource: [aws_cloudwatch_log_group.jenkins_controller_log_group]  (ecs.tf:40)

     Evidence:
             | The CloudWatch Logs Group aws_cloudwatch_log_group.jenkins_controller_log_group is set to use encrypt at rest but it is not using CMKs

-----------------------------------------------
Rule: Ensure use of ECR repository policy, and no action wildcards are being used
Description: Using wildcard actions may inadvertently allow users to take actions you do not want to allow them to do. In addition, using a resource policy will provide an additional layer of security. It is a best practice to use a resource policy and give specific permissions only.
Remediation Steps - Cloud Console: Follow the guide at https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html to modify ECR repository policy in order to avoid using wildcard actions.
Remediation Steps - Terraform: For the aws_ecr_repository_policy resource, modify policy argument in order to avoid using wildcard actions.
 - 1 Resources Exposed:
-----------------------------------------------
   - Exposed Resource: [aws_ecr_repository.jenkins_controller] (jenkins_image.tf:8)
     Violating Resource: [aws_ecr_repository.jenkins_controller]  (jenkins_image.tf:8)

     Evidence:
             | There is no resource policy or no statements attached to aws_ecr_repository.jenkins_controller

-----------------------------------------------
Rule: Ensure use of EFS file system policy, and no action wildcards are being used
Description: Using wildcard actions may inadvertently allow users to take actions you do not want to allow them to do. In addition, using a resource policy will provide an additional layer of security. It is a best practice to use a resource policy and give specific permissions only.
Remediation Steps - Cloud Console: Follow the guide at https://docs.aws.amazon.com/efs/latest/ug/access-control-overview.html#access-control-manage-access-intro-resource-policies to modify EFS file system policy in order to avoid using wildcard actions.
Remediation Steps - Terraform: For the aws_efs_file_system_policy resource, modify policy argument in order to avoid using wildcard actions.
 - 1 Resources Exposed:
-----------------------------------------------
   - Exposed Resource: [aws_efs_file_system.this] (efs.tf:2)
     Violating Resource: [aws_efs_file_system.this]  (efs.tf:2)

     Evidence:
             | There is no resource policy or no statements attached to aws_efs_file_system.this

-----------------------------------------------
Rule: Ensure all security groups and rules have a description detailing the rule
Description: Cloudrail will review your security groups. If a security group is using a default description, or has a rule which does not include a description, this rule will trigger.
Remediation Steps - Cloud Console: Follow the guide at https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html to update the security group or security group rules description field.
Remediation Steps - Terraform: For the aws_security_group and aws_security_group_rule resources, set description argument with a proper value.
 - 1 Resources Exposed:
-----------------------------------------------
   - Exposed Resource: [aws_security_group.alb_security_group[0]] (main.tf:88)
     Violating Resource: [aws_security_group.alb_security_group[0]]  (main.tf:88)

     Evidence:
             | The Security group aws_security_group.alb_security_group[0] does not have a description for the ingress rule of aws_security_group.alb_security_group[0].id for ports 443:443 using protocol tcp

I'm happy to open a PR to fix these myself. My general approach is that it's best to provide code examples that follow security best practices, set by AWS and others.

Let me know if I can go ahead and open a PR to fix these.

[apogorielov]

Hi yi2020,

Thank you for you contribution. Marked comments were addressed.

Kind regards, Alex