tfsec findings review

[juju4]

Background:

tfsec has been set to continue-on-error and seems we need a catch-up as said on discord https://github.com/blueteamvillage/DC31-obsidian-sec-eng/actions/runs/4393053053/jobs/7693199551#step:4:903

  results
  ──────────────────────────────────────────
  passed               137
  ignored              3
  critical             14
  high                 10
  medium               2
  low                  10

  137 passed, 3 ignored, 36 potential problem(s) detected.

some are expected like teleport internet inbound

tfsec also put in critical egress internet access (" Result 7 CRITICAL Security group rule allows egress to multiple public internet addresses. ") like for

• corp_docker_allow_egress
• win_dc_sg
• metrics_allow_egress
• log4j_allow_egress
• velociraptor_allow_egress
• cribl_allow_egress
• securityonion_server_sg2
• red_team_servers_allow_egress Mitigating it would mean a web proxy but not in DC30 architecture, nor DC31 current one.

In high, for teleport

• Result 16 HIGH IAM policy document uses wildcarded action 'dynamodb:*'
• Result 21 HIGH Bucket does not encrypt data with a customer managed key.

In high, for DC

• Result 22 HIGH Instance does not require IMDS access to require a token

Per previous conversation, to allow easy imaging/forensics, "Result 23 HIGH Root block device is not encrypted. " should be ignore for corresponding servers

In medium

• Result 25 MEDIUM VPC Flow Logs is not enabled for VPC
• Result 26 MEDIUM Bucket does not have logging enabled

Ignore part should added flag as per https://aquasecurity.github.io/tfsec/v0.61.3/getting-started/configuration/ignores/

Leaving the low aside

[juju4]

added egress ignore flags and few low/description in my PR

[TheBlackPacket]

Postponed until after kill chain