tfsec also put in critical egress internet access (" Result 7 CRITICAL Security group rule allows egress to multiple public internet addresses. ") like for
corp_docker_allow_egress
win_dc_sg
metrics_allow_egress
log4j_allow_egress
velociraptor_allow_egress
cribl_allow_egress
securityonion_server_sg2
red_team_servers_allow_egress
Mitigating it would mean a web proxy but not in DC30 architecture, nor DC31 current one.
In high, for teleport
Result 16 HIGH IAM policy document uses wildcarded action 'dynamodb:*'
Result 21 HIGH Bucket does not encrypt data with a customer managed key.
In high, for DC
Result 22 HIGH Instance does not require IMDS access to require a token
Per previous conversation, to allow easy imaging/forensics, "Result 23 HIGH Root block device is not encrypted. " should be ignore for corresponding servers
In medium
Result 25 MEDIUM VPC Flow Logs is not enabled for VPC
Result 26 MEDIUM Bucket does not have logging enabled
Background:
tfsec has been set to continue-on-error and seems we need a catch-up as said on discord https://github.com/blueteamvillage/DC31-obsidian-sec-eng/actions/runs/4393053053/jobs/7693199551#step:4:903
some are expected like teleport internet inbound
tfsec also put in critical egress internet access (" Result 7 CRITICAL Security group rule allows egress to multiple public internet addresses. ") like for
In high, for teleport
In high, for DC
Per previous conversation, to allow easy imaging/forensics, "Result 23 HIGH Root block device is not encrypted. " should be ignore for corresponding servers
In medium
Ignore part should added flag as per https://aquasecurity.github.io/tfsec/v0.61.3/getting-started/configuration/ignores/
Leaving the low aside