Skip to content

Update cfngoat.yaml #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ankit1128 wants to merge 1 commit into
base: ank7
Choose a base branch
from
Open

Update cfngoat.yaml #9

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cfngoat.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,7 +286,7 @@ Resources:
EngineVersion: 8.0
DBInstanceClass: db.t3.micro
AllocatedStorage: 20
MasterUsername: admin
MasterUsername: admin1
Copy link

@bridgecrew bridgecrew bot Jul 15, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure no hard-coded secrets exist in EC2 user data
    Resource: AWS::EC2::Instance.EC2Instance | ID: BC_AWS_SECRETS_1

How to Fix

resource "aws_instance" "web" {
    ami           = data.aws_ami.ubuntu.id
    instance_type = "t3.micro"

-    user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
    tags = {
     Name = "MyLovelyHorse"
    }
}

Description

**User Data** is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations. This code is not encrypted.

Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.

Copy link

@bridgecrew bridgecrew bot Jul 15, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure all data stored in the RDS is securely encrypted at rest
    Resource: AWS::RDS::DBInstance.DefaultDB | ID: BC_AWS_GENERAL_4

How to Fix

resource "aws_db_instance" "default" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
+ storage_encrypted    = true 
}

Description

AWS RDS is a managed DB service enabling quick deployment and management of MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server DB engines. Native RDS encryption helps protect your cloud applications and fulfils compliance requirements for data-at-rest encryption.

Benchmarks

  • PCI-DSS V3.2 3
  • PCI-DSS V3.2.1 3.4
  • FEDRAMP (MODERATE) SC-28

Copy link

@bridgecrew bridgecrew bot Jul 15, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure that RDS instances have Multi-AZ enabled
    Resource: AWS::RDS::DBInstance.DefaultDB | ID: BC_AWS_GENERAL_73

How to Fix

resource "aws_db_instance" "default" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
+ multi_az             = true 
}

Description

Amazon RDS Multi-AZ deployments provide enhanced availability for databases within a single region. In the event of a planned or unplanned outage of your DB instance, Amazon RDS automatically switches to a standby replica in another Availability Zone if you have enabled Multi-AZ.

RDS Multi-AZ deployments offer the following benefits:

  1. Enhanced durability.
  2. Increased availability.
  3. Protection of your database performance.
  4. Automatic failover.

Copy link

@bridgecrew bridgecrew bot Jul 15, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH   Ensure all data stored in the RDS bucket is not public accessible
    Resource: AWS::RDS::DBInstance.DefaultDB | ID: BC_AWS_PUBLIC_2

How to Fix

resource "aws_rds_cluster" "default" {
  cluster_identifier = var.cluster["cluster_identifier"]
  engine_version     = var.engine_version
  engine             = var.engine
  database_name      = var.cluster["database_name"]
  master_username    = var.cluster["master_username"]
  master_password    = var.master_password
+ storage_encrypted   = true
  kms_key_id         = var.kms_key_id
  tags               = var.common_tags
}

Description

AWS RDS is a managed DB service enabling quick deployment and management of MySQL, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server DB engines. RDS native encryption helps protect your applications deployed in the cloud and easily fulfills compliance requirements for data-at-rest encryption.

We recommend encrypting RDS functions as an additional layer of data to prevent unauthorized access to its storage.

MasterUserPassword: !Ref Password
MultiAZ: False
BackupRetentionPeriod: 0
Expand Down