search

cds-snc / url-shortener

An API written in Python that shortens URLs
MIT License
4 stars 1 forks source link

Disabling controls in Security hub #326

Closed sylviamclaughlin closed 1 year ago

sylviamclaughlin commented 1 year ago

Summary | Résumé

This is in relation to #136. This is a draft PR to disable the controls that we are disabling in our custom CDS conformance pack. More to be added, but I just wanted to be on the right track before adding all the excluded rules.

github-actions[bot] commented 1 year ago

Staging: security_hub

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 4 to add, 0 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|--------------------------------------------------------------------------------------------------------------------| | add | `aws_securityhub_standards_control.disabled_controls["aws-foundational-security-best-practices/v/1.0.0/Lambda.1"]` | | | `aws_securityhub_standards_control.disabled_controls["aws-foundational-security-best-practices/v/1.0.0/Lambda.3"]` | | | `aws_securityhub_standards_control.disabled_controls["aws-foundational-security-best-practices/v/1.0.0/S3.9"]` | | | `aws_securityhub_standards_control.disabled_controls["aws-foundational-security-best-practices/v/1.0.0/SNS.1"]` |
Show plan ```terraform Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_securityhub_standards_control.disabled_controls["aws-foundational-security-best-practices/v/1.0.0/Lambda.1"] will be created + resource "aws_securityhub_standards_control" "disabled_controls" { + control_id = (known after apply) + control_status = "DISABLED" + control_status_updated_at = (known after apply) + description = (known after apply) + disabled_reason = "Lambda needs to be publicly accessible in order for the application to work" + id = (known after apply) + related_requirements = (known after apply) + remediation_url = (known after apply) + severity_rating = (known after apply) + standards_control_arn = "arn:aws:securityhub:ca-central-1:843973686572:control/aws-foundational-security-best-practices/v/1.0.0/Lambda.1" + title = (known after apply) } # aws_securityhub_standards_control.disabled_controls["aws-foundational-security-best-practices/v/1.0.0/Lambda.3"] will be created + resource "aws_securityhub_standards_control" "disabled_controls" { + control_id = (known after apply) + control_status = "DISABLED" + control_status_updated_at = (known after apply) + description = (known after apply) + disabled_reason = "The lambdas that are not inside VPC are organization/global account pertaining functions" + id = (known after apply) + related_requirements = (known after apply) + remediation_url = (known after apply) + severity_rating = (known after apply) + standards_control_arn = "arn:aws:securityhub:ca-central-1:843973686572:control/aws-foundational-security-best-practices/v/1.0.0/Lambda.3" + title = (known after apply) } # aws_securityhub_standards_control.disabled_controls["aws-foundational-security-best-practices/v/1.0.0/S3.9"] will be created + resource "aws_securityhub_standards_control" "disabled_controls" { + control_id = (known after apply) + control_status = "DISABLED" + control_status_updated_at = (known after apply) + description = (known after apply) + disabled_reason = "The S3 buckets are used for storing terraform state and therefore logging is not needed" + id = (known after apply) + related_requirements = (known after apply) + remediation_url = (known after apply) + severity_rating = (known after apply) + standards_control_arn = "arn:aws:securityhub:ca-central-1:843973686572:control/aws-foundational-security-best-practices/v/1.0.0/S3.9" + title = (known after apply) } # aws_securityhub_standards_control.disabled_controls["aws-foundational-security-best-practices/v/1.0.0/SNS.1"] will be created + resource "aws_securityhub_standards_control" "disabled_controls" { + control_id = (known after apply) + control_status = "DISABLED" + control_status_updated_at = (known after apply) + description = (known after apply) + disabled_reason = "Default encryption is acceptable for Alert messages" + id = (known after apply) + related_requirements = (known after apply) + remediation_url = (known after apply) + severity_rating = (known after apply) + standards_control_arn = "arn:aws:securityhub:ca-central-1:843973686572:control/aws-foundational-security-best-practices/v/1.0.0/SNS.1" + title = (known after apply) } Plan: 4 to add, 0 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh 18 tests, 18 passed, 0 warnings, 0 failures, 0 exceptions ```
sylviamclaughlin commented 1 year ago

Closing this PR since we are no longer working on the URL shortener.