Closed Saini01Basu closed 3 years ago
Saini01Basu
commented
3 years ago Cloned another publicly available goat application "kubernetes-goat" which has k8s config files. The config files are present under various sub directories within scenarios folder. I ran the command - terrascan scan -d ./scenarios -i k8s
It is able to find all config files within different sub directories and produce a collated result in this case.
kanchwala-yusuf
commented
3 years ago Hi @Saini01Basu,
Thank you for trying out terrascan and reporting this issue.
You are correct in your analysis that terrascan behavior varies a little for terraform and k8s. For k8s iac type, terrascan recursively scans all the directories.
But for terraform, terrascan actually tries to emulate the behavior of terraform plan to load terraform resources. It is ideally expected that terrascan is executed from the directory from where terraform plan is executed.
Also, there is an open issue for this https://github.com/accurics/terrascan/issues/411
Hope this helps!
Saini01Basu
commented
3 years ago This helps @kanchwala-yusuf :) we are considering another scan tool called checkov which is able to produce a collated result for terraform as well. So I was wondering if this feature can be added in terrascan?
patilpankaj212
commented
3 years ago Hi @Saini01Basu, we have implemented sub folder scanning feature for terraform as well. Can you please try it out and let us know if you face any issue?
patilpankaj212
commented
3 years ago Hi @Saini01Basu, the changes for terraform sub folder scanning are available in v1.6.0, you can run below command:
terrascan scan -i terraform -d dirPath
Also, we introduced a new flag --non-recursive. If the flag is used then terrascan will not scan sub directories recursively.
terrascan scan -i terraform -d dirPath --non-recursive
Note: The --non-recursive flag is only applicable for the terraform iac type.
Saini01Basu
commented
3 years ago Sure thanks for the info will definitely try it out
Saini01Basu
commented
3 years ago It worked thanks a lot for adding this feature
patilpankaj212
commented
3 years ago Thanks for trying it out @Saini01Basu. I will close this issue.
Saini01Basu
commented
3 years ago Hey but noticed that for this project - https://github.com/bridgecrewio/terragoat/tree/master/terraform it only scanned aws recursively not the gcp and azure
Saini01Basu
commented
3 years ago I didn't add any -t option so default is "all" right? so it should have scanned gcp and azure as well right?
patilpankaj212
commented
3 years ago Yes @Saini01Basu, by default directory will be scanned with all policies. I will have a look and reply back.
patilpankaj212
commented
3 years ago Hey, I tried out the repository shared by you with below command:
terrascan scan -r git -u https://github.com/bridgecrewio/terragoat.git//terraform -v
All folders were scanned, see below output:
Violation Details -
Description : Ensure Stackdriver Logging is enabled on Kubernetes Engine Clusters.
File : gcp/gke.tf
Module Name : root
Plan Root : gcp
Line : 6
Severity : HIGH
Rule Name : stackDriverLoggingEnabled
Rule ID : accurics.gcp.LOG.100
Resource Name : workload_cluster
Resource Type : google_container_cluster
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure Legacy Authorization is set to disabled on Kubernetes Engine Clusters.
File : gcp/gke.tf
Module Name : root
Plan Root : gcp
Line : 6
Severity : HIGH
Rule Name : legacyAuthEnabled
Rule ID : accurics.gcp.IAM.142
Resource Name : workload_cluster
Resource Type : google_container_cluster
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : Ensure Stackdriver Monitoring is enabled on Kubernetes Engine Clusters.
File : gcp/gke.tf
Module Name : root
Plan Root : gcp
Line : 6
Severity : HIGH
Rule Name : stackDriverMonitoringEnabled
Rule ID : accurics.gcp.MON.143
Resource Name : workload_cluster
Resource Type : google_container_cluster
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : BigQuery datasets may be anonymously or publicly accessible.
File : gcp/big_data.tf
Module Name : root
Plan Root : gcp
Line : 21
Severity : HIGH
Rule Name : bqDatasetPubliclyAccessible
Rule ID : accurics.gcp.IAM.106
Resource Name : dataset
Resource Type : google_bigquery_dataset
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : Ensure that Cloud Storage bucket is not anonymously or publicly accessible.
File : gcp/gcs.tf
Module Name : root
Plan Root : gcp
Line : 16
Severity : MEDIUM
Rule Name : checkPubliclyAccessible
Rule ID : accurics.gcp.IAM.121
Resource Name : allow_public_read
Resource Type : google_storage_bucket_iam_binding
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : Ensure that Cloud SQL database instance requires all incoming connections to use SSL
File : gcp/big_data.tf
Module Name : root
Plan Root : gcp
Line : 1
Severity : HIGH
Rule Name : checkRequireSSLEnabled
Rule ID : accurics.gcp.EKM.141
Resource Name : master_instance
Resource Type : google_sql_database_instance
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) .
File : gcp/instances.tf
Module Name : root
Plan Root : gcp
Line : 36
Severity : MEDIUM
Rule Name : vmEncryptedwithCsek
Rule ID : accurics.gcp.EKM.131
Resource Name : unencrypted_disk
Resource Type : google_compute_disk
Category : Data Protection
-----------------------------------------------------------------------
Description : Ensure that Cloud Storage buckets have uniform bucket-level access enabled.
File : gcp/gcs.tf
Module Name : root
Plan Root : gcp
Line : 1
Severity : MEDIUM
Rule Name : uniformBucketEnabled
Rule ID : accurics.gcp.IAM.122
Resource Name : terragoat_website
Resource Type : google_storage_bucket
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image.
File : gcp/gke.tf
Module Name : root
Plan Root : gcp
Line : 24
Severity : HIGH
Rule Name : cosNodeImageUsed
Rule ID : accurics.gcp.OPS.114
Resource Name : custom_node_pool
Resource Type : google_container_node_pool
Category : Compliance Validation
-----------------------------------------------------------------------
Description : Ensure all Cloud SQL database instance have backup configuration enabled.
File : gcp/big_data.tf
Module Name : root
Plan Root : gcp
Line : 1
Severity : HIGH
Rule Name : backupConfigEnabled
Rule ID : accurics.gcp.BDR.105
Resource Name : master_instance
Resource Type : google_sql_database_instance
Category : Resilience
-----------------------------------------------------------------------
Description : Ensure IP forwarding is not enabled on Instances.
File : gcp/instances.tf
Module Name : root
Plan Root : gcp
Line : 3
Severity : MEDIUM
Rule Name : checkIpForward
Rule ID : accurics.gcp.NS.130
Resource Name : server
Resource Type : google_compute_instance
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Enable AWS ElasticSearch Encryption At Rest
File : aws/es.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : MEDIUM
Rule Name : elastiSearchEncryptAtRest
Rule ID : AWS.ElasticSearch.EKM.Medium.0778
Resource Name : monitoring-framework
Resource Type : aws_elasticsearch_domain
Category : Data Protection
-----------------------------------------------------------------------
Description : EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain
File : aws/ec2.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : MEDIUM
Rule Name : ec2UsingIMDSv1
Rule ID : AC-AWS-NS-IN-M-1172
Resource Name : web_host
Resource Type : aws_instance
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain
File : aws/db-app.tf
Module Name : root
Plan Root : aws
Line : 242
Severity : MEDIUM
Rule Name : ec2UsingIMDSv1
Rule ID : AC-AWS-NS-IN-M-1172
Resource Name : db_app
Resource Type : aws_instance
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Ensure ECR repository has policy attached.
File : aws/ecr.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : MEDIUM
Rule Name : ecrNoSecurePolicyAttached
Rule ID : AC_AWS_058
Resource Name : repository
Resource Type : aws_ecr_repository
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : ssh port open to internet
File : aws/ec2.tf
Module Name : root
Plan Root : aws
Line : 77
Severity : HIGH
Rule Name : port22OpenToInternet
Rule ID : AWS.SecurityGroup.NetworkPortsSecurity.Low.0560
Resource Name : web-node
Resource Type : aws_security_group
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Ensure that your RDS database has IAM Authentication enabled.
File : aws/db-app.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : HIGH
Rule Name : rdsIamAuthEnabled
Rule ID : AWS.RDS.DataSecurity.High.0577
Resource Name : default
Resource Type : aws_db_instance
Category : Data Protection
-----------------------------------------------------------------------
Description : http port open to internet
File : aws/ec2.tf
Module Name : root
Plan Root : aws
Line : 77
Severity : HIGH
Rule Name : port80OpenToInternet
Rule ID : AWS.SecurityGroup.NetworkPortsSecurity.Low.0561
Resource Name : web-node
Resource Type : aws_security_group
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Enable AWS EBS Snapshot Encryption
File : aws/ec2.tf
Module Name : root
Plan Root : aws
Line : 34
Severity : HIGH
Rule Name : ebsSnapshotDisabled
Rule ID : AWS.EBS.EKM.Medium.0682
Resource Name : web_host_storage
Resource Type : aws_ebs_volume
Category : Data Protection
-----------------------------------------------------------------------
Description : Ensure S3 object is Encrypted
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 24
Severity : MEDIUM
Rule Name : notEncryptedObject
Rule ID : AC_AWS_034
Resource Name : data_object
Resource Type : aws_s3_bucket_object
Category : Data Protection
-----------------------------------------------------------------------
Description : Ensure ECR repository is encrypted at rest
File : aws/ecr.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : MEDIUM
Rule Name : ecrNotEncrypted
Rule ID : AC_AWS_026
Resource Name : repository
Resource Type : aws_ecr_repository
Category : Data Protection
-----------------------------------------------------------------------
Description : Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 43
Severity : HIGH
Rule Name : s3BucketSseRulesWithKmsNull
Rule ID : AWS.S3Bucket.EncryptionandKeyManagement.High.0405
Resource Name : financials
Resource Type : aws_s3_bucket
Category : Data Protection
-----------------------------------------------------------------------
Description : Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : HIGH
Rule Name : s3BucketSseRulesWithKmsNull
Rule ID : AWS.S3Bucket.EncryptionandKeyManagement.High.0405
Resource Name : data
Resource Type : aws_s3_bucket
Category : Data Protection
-----------------------------------------------------------------------
Description : Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 66
Severity : HIGH
Rule Name : s3BucketSseRulesWithKmsNull
Rule ID : AWS.S3Bucket.EncryptionandKeyManagement.High.0405
Resource Name : operations
Resource Type : aws_s3_bucket
Category : Data Protection
-----------------------------------------------------------------------
Description : Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data.
File : aws/ec2.tf
Module Name : root
Plan Root : aws
Line : 271
Severity : HIGH
Rule Name : s3BucketSseRulesWithKmsNull
Rule ID : AWS.S3Bucket.EncryptionandKeyManagement.High.0405
Resource Name : flowbucket
Resource Type : aws_s3_bucket
Category : Data Protection
-----------------------------------------------------------------------
Description : Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 91
Severity : HIGH
Rule Name : s3BucketSseRulesWithKmsNull
Rule ID : AWS.S3Bucket.EncryptionandKeyManagement.High.0405
Resource Name : data_science
Resource Type : aws_s3_bucket
Category : Data Protection
-----------------------------------------------------------------------
Description : Lambda tracing is not enabled.
File : aws/lambda.tf
Module Name : root
Plan Root : aws
Line : 31
Severity : LOW
Rule Name : lambdaXRayTracingDisabled
Rule ID : AWS.LambdaFunction.Logging.0470
Resource Name : analysis_lambda
Resource Type : aws_lambda_function
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : AWS ELB incoming traffic not encrypted
File : aws/elb.tf
Module Name : root
Plan Root : aws
Line : 2
Severity : LOW
Rule Name : elbLbProtocolNotSecured
Rule ID : AWS.ELB.NetworkPortsSecurity.Low.0563
Resource Name : weblb
Resource Type : aws_elb
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : S3 bucket Access is allowed to all AWS Account Users.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 43
Severity : HIGH
Rule Name : s3EnforceUserACL
Rule ID : AWS.S3Bucket.DS.High.1043
Resource Name : financials
Resource Type : aws_s3_bucket
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : S3 bucket Access is allowed to all AWS Account Users.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : HIGH
Rule Name : s3EnforceUserACL
Rule ID : AWS.S3Bucket.DS.High.1043
Resource Name : data
Resource Type : aws_s3_bucket
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : S3 bucket Access is allowed to all AWS Account Users.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 66
Severity : HIGH
Rule Name : s3EnforceUserACL
Rule ID : AWS.S3Bucket.DS.High.1043
Resource Name : operations
Resource Type : aws_s3_bucket
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : S3 bucket Access is allowed to all AWS Account Users.
File : aws/ec2.tf
Module Name : root
Plan Root : aws
Line : 271
Severity : HIGH
Rule Name : s3EnforceUserACL
Rule ID : AWS.S3Bucket.DS.High.1043
Resource Name : flowbucket
Resource Type : aws_s3_bucket
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : S3 bucket Access is allowed to all AWS Account Users.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 115
Severity : HIGH
Rule Name : s3EnforceUserACL
Rule ID : AWS.S3Bucket.DS.High.1043
Resource Name : logs
Resource Type : aws_s3_bucket
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : S3 bucket Access is allowed to all AWS Account Users.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 91
Severity : HIGH
Rule Name : s3EnforceUserACL
Rule ID : AWS.S3Bucket.DS.High.1043
Resource Name : data_science
Resource Type : aws_s3_bucket
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.
File : aws/db-app.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : HIGH
Rule Name : rdsHasStorageEncrypted
Rule ID : AWS.RDS.DataSecurity.High.0414
Resource Name : default
Resource Type : aws_db_instance
Category : Data Protection
-----------------------------------------------------------------------
Description : RDS Instance publicly_accessible flag is true
File : aws/db-app.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : HIGH
Rule Name : rdsPubliclyAccessible
Rule ID : AWS.RDS.NS.High.0101
Resource Name : default
Resource Type : aws_db_instance
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Ensure Neptune Cluster is Encrypted
File : aws/neptune.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : MEDIUM
Rule Name : neptuneClusterNotEncrypted
Rule ID : AC_AWS_030
Resource Name : default
Resource Type : aws_neptune_cluster
Category : Data Protection
-----------------------------------------------------------------------
Description : Lambda function doesn't not include a VPC configuration.
File : aws/lambda.tf
Module Name : root
Plan Root : aws
Line : 31
Severity : Low
Rule Name : lambdaNotInVpc
Rule ID : AWS.LambdaFunction.Logging.0472
Resource Name : analysis_lambda
Resource Type : aws_lambda_function
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Lambda does not use KMS CMK key to protect environment variables.
File : aws/lambda.tf
Module Name : root
Plan Root : aws
Line : 31
Severity : High
Rule Name : lambdaNotEncryptedWithKms
Rule ID : AWS.LambdaFunction.EncryptionandKeyManagement.0471
Resource Name : analysis_lambda
Resource Type : aws_lambda_function
Category : Data Protection
-----------------------------------------------------------------------
Description : Ensure IAM policies are attached only to groups or roles
File : aws/iam.tf
Module Name : root
Plan Root : aws
Line : 25
Severity : MEDIUM
Rule Name : iamUserInlinePolicy
Rule ID : AC_AWS_049
Resource Name : userpolicy
Resource Type : aws_iam_user_policy
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : Ensure Elasticsearch domains being created are set to be encrypted node-to-node
File : aws/es.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : MEDIUM
Rule Name : noNodeToNodeEncryptionDomain
Rule ID : AC_AWS_045
Resource Name : monitoring-framework
Resource Type : aws_elasticsearch_domain
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Ensure that your AWS Elasticsearch clusters have enabled the support for publishing slow logs to AWS CloudWatch Logs. This feature enables you to publish slow logs from the indexing and search operations performed on your ES clusters and gain full insight into the performance of these operations.
File : aws/es.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : MEDIUM
Rule Name : esloggingdisabled
Rule ID : AWS.Elasticsearch.Logging.Medium.0573
Resource Name : monitoring-framework
Resource Type : aws_elasticsearch_domain
Category : Compliance Validation
-----------------------------------------------------------------------
Description : Ensure AWS ELB has access logging enabled.
File : aws/elb.tf
Module Name : root
Plan Root : aws
Line : 2
Severity : MEDIUM
Rule Name : elbAccessLoggingDisabled
Rule ID : AC_AWS_072
Resource Name : weblb
Resource Type : aws_elb
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure that there are no exposed Amazon IAM access keys in order to protect your AWS resources against unapproved access
File : aws/iam.tf
Module Name : root
Plan Root : aws
Line : 21
Severity : MEDIUM
Rule Name : programmaticAccessCreation
Rule ID : AWS.IamUser.IAM.High.0391
Resource Name : user
Resource Type : aws_iam_access_key
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : Ensure AWS Neptune clusters have logging enabled.
File : aws/neptune.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : MEDIUM
Rule Name : neptuneClusterLoggingDisabled
Rule ID : AC_AWS_075
Resource Name : default
Resource Type : aws_neptune_cluster
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 43
Severity : HIGH
Rule Name : s3Versioning
Rule ID : AWS.S3Bucket.IAM.High.0370
Resource Name : financials
Resource Type : aws_s3_bucket
Category : Resilience
-----------------------------------------------------------------------
Description : Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : HIGH
Rule Name : s3Versioning
Rule ID : AWS.S3Bucket.IAM.High.0370
Resource Name : data
Resource Type : aws_s3_bucket
Category : Resilience
-----------------------------------------------------------------------
Description : Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites
File : aws/ec2.tf
Module Name : root
Plan Root : aws
Line : 271
Severity : HIGH
Rule Name : s3Versioning
Rule ID : AWS.S3Bucket.IAM.High.0370
Resource Name : flowbucket
Resource Type : aws_s3_bucket
Category : Resilience
-----------------------------------------------------------------------
Description : Ensure EKS clusters have control plane logging enabled.
File : aws/eks.tf
Module Name : root
Plan Root : aws
Line : 117
Severity : MEDIUM
Rule Name : eksControlPlaneLoggingDisabled
Rule ID : AC_AWS_071
Resource Name : eks_cluster
Resource Type : aws_eks_cluster
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure S3 buckets have access logging enabled.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 43
Severity : MEDIUM
Rule Name : s3BucketAccessLoggingDisabled
Rule ID : AC_AWS_078
Resource Name : financials
Resource Type : aws_s3_bucket
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure S3 buckets have access logging enabled.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : MEDIUM
Rule Name : s3BucketAccessLoggingDisabled
Rule ID : AC_AWS_078
Resource Name : data
Resource Type : aws_s3_bucket
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure S3 buckets have access logging enabled.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 66
Severity : MEDIUM
Rule Name : s3BucketAccessLoggingDisabled
Rule ID : AC_AWS_078
Resource Name : operations
Resource Type : aws_s3_bucket
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure S3 buckets have access logging enabled.
File : aws/ec2.tf
Module Name : root
Plan Root : aws
Line : 271
Severity : MEDIUM
Rule Name : s3BucketAccessLoggingDisabled
Rule ID : AC_AWS_078
Resource Name : flowbucket
Resource Type : aws_s3_bucket
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure S3 buckets have access logging enabled.
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 115
Severity : MEDIUM
Rule Name : s3BucketAccessLoggingDisabled
Rule ID : AC_AWS_078
Resource Name : logs
Resource Type : aws_s3_bucket
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure AWS RDS instances have logging enabled.
File : aws/db-app.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : MEDIUM
Rule Name : dbInstanceLoggingDisabled
Rule ID : AC_AWS_076
Resource Name : default
Resource Type : aws_db_instance
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure rotation for customer created CMKs is enabled
File : aws/kms.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : MEDIUM
Rule Name : kmsKeyRotationDisabled
Rule ID : AC_AWS_012
Resource Name : logs_key
Resource Type : aws_kms_key
Category : Security Best Practices
-----------------------------------------------------------------------
Description : Ensure VPC flow logging is enabled in all VPCs
File : aws/eks.tf
Module Name : root
Plan Root : aws
Line : 43
Severity : MEDIUM
Rule Name : vpcFlowLogsNotEnabled
Rule ID : AWS.VPC.Logging.Medium.0470
Resource Name : eks_vpc
Resource Type : aws_vpc
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure every security group should have a description to ease the process of Auditing
File : aws/db-app.tf
Module Name : root
Plan Root : aws
Line : 116
Severity : LOW
Rule Name : noSgDescription
Rule ID : AC_AWS_015
Resource Name : default
Resource Type : aws_security_group
Category : Security Best Practices
-----------------------------------------------------------------------
Description : Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion
File : aws/s3.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : HIGH
Rule Name : allUsersReadAccess
Rule ID : AWS.S3Bucket.IAM.High.0377
Resource Name : data
Resource Type : aws_s3_bucket
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : Ensure that detailed monitoring is enabled for EC2 instances.
File : aws/ec2.tf
Module Name : root
Plan Root : aws
Line : 1
Severity : HIGH
Rule Name : detailedMonitoringEnabledInstance
Rule ID : AC_AWS_070
Resource Name : web_host
Resource Type : aws_instance
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure that detailed monitoring is enabled for EC2 instances.
File : aws/db-app.tf
Module Name : root
Plan Root : aws
Line : 242
Severity : HIGH
Rule Name : detailedMonitoringEnabledInstance
Rule ID : AC_AWS_070
Resource Name : db_app
Resource Type : aws_instance
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure that Azure Active Directory Admin is configured for SQL Server
File : azure/sql.tf
Module Name : root
Plan Root : azure
Line : 9
Severity : HIGH
Rule Name : reme_sqlServerADAdminConfigured
Rule ID : accurics.azure.IAM.10
Resource Name : example
Resource Type : azurerm_sql_server
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : Ensure that standard pricing tiers are selected
File : azure/security_center.tf
Module Name : root
Plan Root : azure
Line : 1
Severity : MEDIUM
Rule Name : reme_securityCenterPrincingTier
Rule ID : accurics.azure.OPS.349
Resource Name : pricing
Resource Type : azurerm_security_center_subscription_pricing
Category : Security Best Practices
-----------------------------------------------------------------------
Description : Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
File : azure/sql.tf
Module Name : root
Plan Root : azure
Line : 98
Severity : MEDIUM
Rule Name : reme_connectionThrottling
Rule ID : accurics.azure.LOG.151
Resource Name : thrtottling_config
Resource Type : azurerm_postgresql_configuration
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure Azure Application Gateway Web application firewall (WAF) is enabled
File : azure/application_gateway.tf
Module Name : root
Plan Root : azure
Line : 1
Severity : MEDIUM
Rule Name : reme_appGatewayWAFEnabled
Rule ID : accurics.azure.NS.147
Resource Name : network
Resource Type : azurerm_application_gateway
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Enable Network Watcher for Azure subscriptions. Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure.
File : azure/networking.tf
Module Name : root
Plan Root : azure
Line : 125
Severity : HIGH
Rule Name : reme_networkWatcherEnabled
Rule ID : accurics.azure.NS.11
Resource Name : flow_log
Resource Type : azurerm_network_watcher_flow_log
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days. Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches.
File : azure/networking.tf
Module Name : root
Plan Root : azure
Line : 125
Severity : MEDIUM
Rule Name : reme_logRetensionGraterThan90Days
Rule ID : accurics.azure.NS.342
Resource Name : flow_log
Resource Type : azurerm_network_watcher_flow_log
Category : Resilience
-----------------------------------------------------------------------
Description : Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
File : azure/sql.tf
Module Name : root
Plan Root : azure
Line : 105
Severity : MEDIUM
Rule Name : postgreSqlLogsEnabled
Rule ID : accurics.azure.LOG.364
Resource Name : example
Resource Type : azurerm_postgresql_configuration
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure that Azure Resource Group has resource lock enabled
File : azure/resource_group.tf
Module Name : root
Plan Root : azure
Line : 1
Severity : LOW
Rule Name : reme_resourceGroupLock
Rule ID : accurics.azure.NS.272
Resource Name : example
Resource Type : azurerm_resource_group
Category : Identity and Access Management
-----------------------------------------------------------------------
Description : Ensure that Geo Redundant Backups is enabled on PostgreSQL
File : azure/sql.tf
Module Name : root
Plan Root : azure
Line : 73
Severity : HIGH
Rule Name : reme_geoRedundancyDisabled
Rule ID : accurics.azure.BDR.163
Resource Name : example
Resource Type : azurerm_postgresql_server
Category : Resilience
-----------------------------------------------------------------------
Description : Ensure AKS cluster has Network Policy configured.
File : azure/aks.tf
Module Name : root
Plan Root : azure
Line : 1
Severity : MEDIUM
Rule Name : networkPolicyEnabled
Rule ID : accurics.azure.NS.382
Resource Name : k8s_cluster
Resource Type : azurerm_kubernetes_cluster
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server.
File : azure/sql.tf
Module Name : root
Plan Root : azure
Line : 44
Severity : HIGH
Rule Name : sslConnectionEnabled
Rule ID : accurics.azure.NS.361
Resource Name : example
Resource Type : azurerm_mysql_server
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Ensure that 'Send email notification for high severity alerts' is set to 'On'
File : azure/security_center.tf
Module Name : root
Plan Root : azure
Line : 5
Severity : MEDIUM
Rule Name : emailAlertsEnabled
Rule ID : accurics.azure.MON.353
Resource Name : contact
Resource Type : azurerm_security_center_contact
Category : Logging and Monitoring
-----------------------------------------------------------------------
Description : Ensure that Azure Virtual Network subnet is configured with a Network Security Group
File : azure/networking.tf
Module Name : root
Plan Root : azure
Line : 18
Severity : MEDIUM
Rule Name : reme_noSecurityGroupAssociated
Rule ID : accurics.azure.NS.161
Resource Name : example
Resource Type : azurerm_subnet
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Ensure Kube Dashboard is disabled
File : azure/aks.tf
Module Name : root
Plan Root : azure
Line : 1
Severity : MEDIUM
Rule Name : kubeDashboardDisabled
Rule ID : accurics.azure.NS.383
Resource Name : k8s_cluster
Resource Type : azurerm_kubernetes_cluster
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
File : azure/sql.tf
Module Name : root
Plan Root : azure
Line : 73
Severity : HIGH
Rule Name : reme_sslEnforceDisabled
Rule ID : accurics.azure.EKM.1
Resource Name : example
Resource Type : azurerm_postgresql_server
Category : Infrastructure Security
-----------------------------------------------------------------------
Description : Ensure that 'OS disk' are encrypted
File : azure/storage.tf
Module Name : root
Plan Root : azure
Line : 1
Severity : MEDIUM
Rule Name : reme_checkDataDisksEncrypted
Rule ID : accurics.azure.EKM.156
Resource Name : example
Resource Type : azurerm_managed_disk
Category : Data Protection
-----------------------------------------------------------------------
Description : Ensure that logging for Azure KeyVault is 'Enabled'
File : azure/key_vault.tf
Module Name : root
Plan Root : azure
Line : 1
Severity : HIGH
Rule Name : reme_keyVaultAuditLoggingEnabled
Rule ID : accurics.azure.EKM.20
Resource Name : example
Resource Type : azurerm_key_vault
Category : Logging and Monitoring
-----------------------------------------------------------------------
Scan Summary -
File/Folder : /var/folders/pt/zybdcqcx5777xknz0zgq3zhc0000gn/T/ywsh6i/terraform
IaC Type : all
Scanned At : 2021-05-17 10:55:57.253721 +0000 UTC
Policies Validated : 607
Violated Policies : 78
Low : 5
Medium : 36
High : 37I am sorry my bad i got confused with three goat projects that I am using for testing. Yes it is working in all scenarios. Thanks again and sorry about the confusion
ravitomardevops
commented
2 years ago i need to scan recursively and dont want these error messages like 'error 26 0 directory 'C:\Users\saini_basu\Documents\terragoat\terraform' has no terraform config files ' is there any way i can recursively run it ?
rennu
commented
2 years ago i need to scan recursively and dont want these error messages like 'error 26 0 directory 'C:\Users\saini_basu\Documents\terragoat\terraform' has no terraform config files ' is there any way i can recursively run it ?
I have to agree. Why are subfolders without terraform config files considered scan errors?
Description
I have cloned a publicly available terragoat project which has terraform config files for aws, gcp and azure. I wanted to get a collated scan report for all config files. The config files are placed under /terraform/aws, /terraform/gcp, /terraform/azure. It is not able to scan all config files at once but individually it works.
What I Did
I ran the command - terrascan scan -d ./terraform -t all
It throws error - cli/run.go:101 scan run failed{error 26 0 directory 'C:\Users\saini_basu\Documents\terragoat\terraform' has no terraform config files}