Is your idea related to a problem? Please describe.
Test infrastructure can be remediated to pass AWS standard security checks.
There is a work-in-progress PR to implement this as an automated check: https://github.com/awslabs/aws-data-wrangler/pull/1144Describe the solution you'd like
Running cfn_nag against the test infrastructure stacks. Yields the following report (warnings omitted):
[*] running cfn-nag for stack: base
------------------------------------------------------------
-
------------------------------------------------------------------------------------------------------------------------
| FAIL F19
|
| Resource: ["awsdatawranglerkey9E1BF2DA"]
| Line Numbers: [278]
|
| EnableKeyRotation should not be false or absent on KMS::Key resource
------------------------------------------------------------
Failures count: 1
[*] running cfn-nag for stack: lakeformation
------------------------------------------------------------
Failures count: 0
-----------------------------------------------------------------------------------------------------------
-
-------------
------------------------------------------------------------
| FAIL F26
|
| Resource: ["awsdatawranglerauroraclusterpostgresql765A3734", "awsdatawranglerauroraclustermysqlE948BF25"]
| Line Numbers: [399, 606]
|
| RDS DBCluster should have StorageEncrypted enabled
------------------------------------------------------------
| FAIL F24
|
| Resource: ["awsdatawranglersqlserverinstance425D4DFF"]
| Line Numbers: [834]
|
| RDS instance master username must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.
------------------------------------------------------------
| FAIL F27
|
| Resource: ["awsdatawranglersqlserverinstance425D4DFF"]
| Line Numbers: [834]
|
| RDS DBInstance should have StorageEncrypted enabled
------------------------------------------------------------
| FAIL F80
|
| Resource: ["awsdatawranglersqlserverinstance425D4DFF"]
| Line Numbers: [834]
|
| RDS instance should have deletion protection enabled
------------------------------------------------------------
| FAIL F22
|
| Resource: ["awsdatawranglerauroraclusterpostgresqlInstance1676DFD33", "awsdatawranglerauroraclustermysqlInstance109EC8885", "awsdatawranglersqlserverinstance425D4DFF"]
| Line Numbers: [438, 644, 834]
|
| RDS instance should not be publicly accessible
------------------------------------------------------------
Failures count: 8
[*] running cfn-nag for stack: opensearch
------------------------------------------------------------
Failures count: 0
~/work/aws-data-wrangler/aws-data-wrangler/test_infra/scripts
Need to determine which of these reports yields remediation and which warrants suppression.
P.S. Don't attach files. Please, prefer add code snippets directly in the message body.
F19 (Remediate): should be remediated. It costs 1$/year to enable key rotation and has no impact on the current infra
databases stack
F26 and F27 (Suppress): the purpose of these RDS instances should be limited to testing with mock data. Enabling storage encryption seems excessive imo
F80 (Suppress?): Can we investigate the impact of turning deletion protection on the retention policy in the stack. If turning it on would mean that deleting the stack would retain the cluster or would fail the stack, then I am in favor of suppressing as again no valuable data should be there in the first place
F24 (Suppress): Ideally we would want a "NoEcho Parameter without a Default" but that adds friction to the user experience of deploying these stacks
F22 (Remediate?): Not sure about this one. I suppose the instance security group is already blocking inbound public traffic from outside the VPC. So this would be redundant but at the same time cannot hurt?
Is your idea related to a problem? Please describe. Test infrastructure can be remediated to pass AWS standard security checks.
There is a work-in-progress PR to implement this as an automated check: https://github.com/awslabs/aws-data-wrangler/pull/1144 Describe the solution you'd like Running
cfn_nag
against the test infrastructure stacks. Yields the following report (warnings omitted):Need to determine which of these reports yields remediation and which warrants suppression.
P.S. Don't attach files. Please, prefer add code snippets directly in the message body.