-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Demo feb 22 #50
base: master
Are you sure you want to change the base?
Demo feb 22 #50
Conversation
resource "aws_launch_configuration" "ecs_launch_config" { | ||
image_id = data.aws_ami.ecs_optimized_ami.id | ||
iam_instance_profile = aws_iam_instance_profile.ecs-instance-profile.name | ||
security_groups = [aws_security_group.ecs_sg.id] | ||
user_data = data.template_file.user_data.rendered | ||
instance_type = "t2.micro" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0008
Check Name: Launch configuration with unencrypted block device.
Severity: HIGH
Message: Root block device is not encrypted.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0008
resource "aws_ecs_cluster" "cluster" { | ||
name = "ecs-lab-cluster" | ||
|
||
tags = { | ||
name = "ecs-cluster-name" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0034
Check Name: ECS clusters should have container insights enabled
Severity: LOW
Message: Cluster does not have container insights enabled.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0034
resource "aws_alb" "application_load_balancer" { | ||
name = "aws-goat-m2-alb" | ||
internal = false | ||
load_balancer_type = "application" | ||
subnets = [aws_subnet.lab-subnet-public-1.id, aws_subnet.lab-subnet-public-1b.id] | ||
security_groups = [aws_security_group.load_balancer_security_group.id] | ||
|
||
tags = { | ||
Name = "aws-goat-m2-alb" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0052
Check Name: Load balancers should drop invalid headers
Severity: HIGH
Message: Application load balancer is not set to drop invalid headers.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0052
|
||
resource "aws_alb" "application_load_balancer" { | ||
name = "aws-goat-m2-alb" | ||
internal = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0053
Check Name: Load balancer is exposed to the internet.
Severity: HIGH
Message: Load balancer is exposed publicly.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0053
resource "aws_lb_listener" "listener" { | ||
load_balancer_arn = aws_alb.application_load_balancer.id | ||
port = "80" | ||
protocol = "HTTP" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0054
Check Name: Use of plain HTTP.
Severity: CRITICAL
Message: Listener for application load balancer does not use HTTPS.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0054
resource "aws_iam_policy" "ecs_instance_policy" { | ||
name = "aws-goat-instance-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action 'ssm:*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "ecs_instance_policy" { | ||
name = "aws-goat-instance-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action 'ssm:*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "ecs_instance_policy" { | ||
name = "aws-goat-instance-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses sensitive action 'ssm:' on wildcarded resource ''
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "ecs_instance_policy" { | ||
name = "aws-goat-instance-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action 'ssm:*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "instance_boundary_policy" { | ||
name = "aws-goat-instance-boundary-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action 'iam:List*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "instance_boundary_policy" { | ||
name = "aws-goat-instance-boundary-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action 'iam:List*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "instance_boundary_policy" { | ||
name = "aws-goat-instance-boundary-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action 'iam:List*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "instance_boundary_policy" { | ||
name = "aws-goat-instance-boundary-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action 'iam:List*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "instance_boundary_policy" { | ||
name = "aws-goat-instance-boundary-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action 'iam:List*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "instance_boundary_policy" { | ||
name = "aws-goat-instance-boundary-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action 'iam:List*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "instance_boundary_policy" { | ||
name = "aws-goat-instance-boundary-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action 'iam:List*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "instance_boundary_policy" { | ||
name = "aws-goat-instance-boundary-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action 'iam:List*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "instance_boundary_policy" { | ||
name = "aws-goat-instance-boundary-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses sensitive action 'iam:List*' on wildcarded resource '*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "ec2_deployer_admin_policy" { | ||
name = "ec2DeployerAdmin-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses wildcarded action '*'
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_iam_policy" "ec2_deployer_admin_policy" { | ||
name = "ec2DeployerAdmin-policy" | ||
policy = jsonencode({ | ||
"Statement" : [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0057
Check Name: IAM policy should avoid use of wildcards and instead apply the principle of least privilege
Severity: HIGH
Message: IAM policy document uses sensitive action '' on wildcarded resource ''
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0057
resource "aws_db_instance" "database-instance" { | ||
identifier = "aws-goat-db" | ||
allocated_storage = 10 | ||
instance_class = "db.t2.micro" | ||
engine = "mysql" | ||
engine_version = "5.7" | ||
username = "root" | ||
password = "T2kVB3zgeN3YbrKS" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
availability_zone = "us-east-1a" | ||
db_subnet_group_name = aws_db_subnet_group.database-subnet-group.name | ||
vpc_security_group_ids = [aws_security_group.database-security-group.id] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0077
Check Name: RDS Cluster and RDS instance should have backup retention longer than default 1 day
Severity: MEDIUM
Message: Instance has very low backup retention period.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0077
resource "aws_db_instance" "database-instance" { | ||
identifier = "aws-goat-db" | ||
allocated_storage = 10 | ||
instance_class = "db.t2.micro" | ||
engine = "mysql" | ||
engine_version = "5.7" | ||
username = "root" | ||
password = "T2kVB3zgeN3YbrKS" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
availability_zone = "us-east-1a" | ||
db_subnet_group_name = aws_db_subnet_group.database-subnet-group.name | ||
vpc_security_group_ids = [aws_security_group.database-security-group.id] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0080
Check Name: RDS encryption has not been enabled at a DB Instance level.
Severity: HIGH
Message: Instance does not have storage encryption enabled.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0080
resource "aws_s3_bucket" "bucket_tf_files" { | ||
bucket = "do-not-delete-awsgoat-state-files-${data.aws_caller_identity.current.account_id}" | ||
force_destroy = true | ||
tags = { | ||
Name = "Do not delete Bucket" | ||
Environment = "Dev" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0086
Check Name: S3 Access block should block public ACL
Severity: HIGH
Message: No public access block so not blocking public acls
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0086
resource "aws_s3_bucket" "bucket_tf_files" { | ||
bucket = "do-not-delete-awsgoat-state-files-${data.aws_caller_identity.current.account_id}" | ||
force_destroy = true | ||
tags = { | ||
Name = "Do not delete Bucket" | ||
Environment = "Dev" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0087
Check Name: S3 Access block should block public policy
Severity: HIGH
Message: No public access block so not blocking public policies
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0087
resource "aws_s3_bucket" "bucket_tf_files" { | ||
bucket = "do-not-delete-awsgoat-state-files-${data.aws_caller_identity.current.account_id}" | ||
force_destroy = true | ||
tags = { | ||
Name = "Do not delete Bucket" | ||
Environment = "Dev" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0088
Check Name: Unencrypted S3 bucket.
Severity: HIGH
Message: Bucket does not have encryption enabled
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0088
resource "aws_s3_bucket" "bucket_tf_files" { | ||
bucket = "do-not-delete-awsgoat-state-files-${data.aws_caller_identity.current.account_id}" | ||
force_destroy = true | ||
tags = { | ||
Name = "Do not delete Bucket" | ||
Environment = "Dev" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0089
Check Name: S3 Bucket does not have logging enabled.
Severity: MEDIUM
Message: Bucket does not have logging enabled
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0089
resource "aws_s3_bucket" "bucket_tf_files" { | ||
bucket = "do-not-delete-awsgoat-state-files-${data.aws_caller_identity.current.account_id}" | ||
force_destroy = true | ||
tags = { | ||
Name = "Do not delete Bucket" | ||
Environment = "Dev" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0090
Check Name: S3 Data should be versioned
Severity: MEDIUM
Message: Bucket does not have versioning enabled
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0090
resource "aws_s3_bucket" "bucket_tf_files" { | ||
bucket = "do-not-delete-awsgoat-state-files-${data.aws_caller_identity.current.account_id}" | ||
force_destroy = true | ||
tags = { | ||
Name = "Do not delete Bucket" | ||
Environment = "Dev" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0091
Check Name: S3 Access Block should Ignore Public Acl
Severity: HIGH
Message: No public access block so not ignoring public acls
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0091
resource "aws_s3_bucket" "bucket_tf_files" { | ||
bucket = "do-not-delete-awsgoat-state-files-${data.aws_caller_identity.current.account_id}" | ||
force_destroy = true | ||
tags = { | ||
Name = "Do not delete Bucket" | ||
Environment = "Dev" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0093
Check Name: S3 Access block should restrict public bucket to limit access
Severity: HIGH
Message: No public access block so not restricting public buckets
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0093
resource "aws_s3_bucket" "bucket_tf_files" { | ||
bucket = "do-not-delete-awsgoat-state-files-${data.aws_caller_identity.current.account_id}" | ||
force_destroy = true | ||
tags = { | ||
Name = "Do not delete Bucket" | ||
Environment = "Dev" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0094
Check Name: S3 buckets should each define an aws_s3_bucket_public_access_block
Severity: LOW
Message: Bucket does not have a corresponding public access block.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0094
resource "aws_secretsmanager_secret" "rds_creds" { | ||
name = "RDS_CREDS" | ||
recovery_window_in_days = 0 | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0098
Check Name: Secrets Manager should use customer managed keys
Severity: LOW
Message: Secret explicitly uses the default key.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0098
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0104
Check Name: An egress security group rule allows traffic to /0.
Severity: CRITICAL
Message: Security group rule allows egress to multiple public internet addresses.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0104
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0104
Check Name: An egress security group rule allows traffic to /0.
Severity: CRITICAL
Message: Security group rule allows egress to multiple public internet addresses.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0104
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0104
Check Name: An egress security group rule allows traffic to /0.
Severity: CRITICAL
Message: Security group rule allows egress to multiple public internet addresses.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0104
from_port = 80 | ||
to_port = 80 | ||
protocol = "tcp" | ||
cidr_blocks = ["0.0.0.0/0"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0107
Check Name: An ingress security group rule allows traffic from /0.
Severity: CRITICAL
Message: Security group rule allows ingress from public internet.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0107
ingress { | ||
from_port = 0 | ||
to_port = 65535 | ||
protocol = "tcp" | ||
security_groups = [aws_security_group.load_balancer_security_group.id] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0124
Check Name: Missing description for security group rule.
Severity: LOW
Message: Security group rule does not have a description.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0124
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0124
Check Name: Missing description for security group rule.
Severity: LOW
Message: Security group rule does not have a description.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0124
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0124
Check Name: Missing description for security group rule.
Severity: LOW
Message: Security group rule does not have a description.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0124
ingress { | ||
from_port = 80 | ||
to_port = 80 | ||
protocol = "tcp" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0124
Check Name: Missing description for security group rule.
Severity: LOW
Message: Security group rule does not have a description.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0124
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0124
Check Name: Missing description for security group rule.
Severity: LOW
Message: Security group rule does not have a description.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0124
resource "aws_s3_bucket" "bucket_tf_files" { | ||
bucket = "do-not-delete-awsgoat-state-files-${data.aws_caller_identity.current.account_id}" | ||
force_destroy = true | ||
tags = { | ||
Name = "Do not delete Bucket" | ||
Environment = "Dev" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0132
Check Name: S3 encryption should use Customer Managed Keys
Severity: HIGH
Message: Bucket does not encrypt data with a customer managed key.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0132
resource "aws_db_instance" "database-instance" { | ||
identifier = "aws-goat-db" | ||
allocated_storage = 10 | ||
instance_class = "db.t2.micro" | ||
engine = "mysql" | ||
engine_version = "5.7" | ||
username = "root" | ||
password = "T2kVB3zgeN3YbrKS" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
availability_zone = "us-east-1a" | ||
db_subnet_group_name = aws_db_subnet_group.database-subnet-group.name | ||
vpc_security_group_ids = [aws_security_group.database-security-group.id] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0133
Check Name: Enable Performance Insights to detect potential problems
Severity: LOW
Message: Instance does not have performance insights enabled.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0133
resource "aws_subnet" "lab-subnet-public-1" { | ||
vpc_id = aws_vpc.lab-vpc.id | ||
cidr_block = "10.0.1.0/24" | ||
map_public_ip_on_launch = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0164
Check Name: Instances in a subnet should not receive a public IP address by default.
Severity: HIGH
Message: Subnet associates public IP address.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0164
vpc_id = aws_vpc.lab-vpc.id | ||
cidr_block = "10.0.128.0/24" | ||
availability_zone = data.aws_availability_zones.available.names[1] | ||
map_public_ip_on_launch = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0164
Check Name: Instances in a subnet should not receive a public IP address by default.
Severity: HIGH
Message: Subnet associates public IP address.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0164
resource "aws_db_instance" "database-instance" { | ||
identifier = "aws-goat-db" | ||
allocated_storage = 10 | ||
instance_class = "db.t2.micro" | ||
engine = "mysql" | ||
engine_version = "5.7" | ||
username = "root" | ||
password = "T2kVB3zgeN3YbrKS" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
availability_zone = "us-east-1a" | ||
db_subnet_group_name = aws_db_subnet_group.database-subnet-group.name | ||
vpc_security_group_ids = [aws_security_group.database-security-group.id] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0176
Check Name: RDS IAM Database Authentication Disabled
Severity: MEDIUM
Message: Instance does not have IAM Authentication enabled
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/n/a
resource "aws_db_instance" "database-instance" { | ||
identifier = "aws-goat-db" | ||
allocated_storage = 10 | ||
instance_class = "db.t2.micro" | ||
engine = "mysql" | ||
engine_version = "5.7" | ||
username = "root" | ||
password = "T2kVB3zgeN3YbrKS" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
availability_zone = "us-east-1a" | ||
db_subnet_group_name = aws_db_subnet_group.database-subnet-group.name | ||
vpc_security_group_ids = [aws_security_group.database-security-group.id] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0177
Check Name: RDS Deletion Protection Disabled
Severity: MEDIUM
Message: Instance does not have Deletion Protection enabled
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/n/a
resource "aws_vpc" "lab-vpc" { | ||
cidr_block = "10.0.0.0/16" | ||
enable_dns_support = true | ||
enable_dns_hostnames = true | ||
tags = { | ||
Name = "AWS_GOAT_VPC" | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0178
Check Name: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.
Severity: MEDIUM
Message: VPC Flow Logs is not enabled for VPC
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0178
resource "aws_db_instance" "default" { | ||
allocated_storage = 10 | ||
engine = "mysql" | ||
engine_version = "5.7" | ||
instance_class = "db.t3.micro" | ||
name = "mydb" | ||
username = "foo" | ||
password = "foobarbaz" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
publicly_accessible = true | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0077
Check Name: RDS Cluster and RDS instance should have backup retention longer than default 1 day
Severity: MEDIUM
Message: Instance has very low backup retention period.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0077
resource "aws_db_instance" "default" { | ||
allocated_storage = 10 | ||
engine = "mysql" | ||
engine_version = "5.7" | ||
instance_class = "db.t3.micro" | ||
name = "mydb" | ||
username = "foo" | ||
password = "foobarbaz" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
publicly_accessible = true | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0080
Check Name: RDS encryption has not been enabled at a DB Instance level.
Severity: HIGH
Message: Instance does not have storage encryption enabled.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0080
password = "foobarbaz" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
publicly_accessible = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0082
Check Name: A database resource is marked as publicly accessible.
Severity: CRITICAL
Message: Instance is exposed publicly.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0082
resource "aws_db_instance" "default" { | ||
allocated_storage = 10 | ||
engine = "mysql" | ||
engine_version = "5.7" | ||
instance_class = "db.t3.micro" | ||
name = "mydb" | ||
username = "foo" | ||
password = "foobarbaz" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
publicly_accessible = true | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0133
Check Name: Enable Performance Insights to detect potential problems
Severity: LOW
Message: Instance does not have performance insights enabled.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/avd-aws-0133
resource "aws_db_instance" "default" { | ||
allocated_storage = 10 | ||
engine = "mysql" | ||
engine_version = "5.7" | ||
instance_class = "db.t3.micro" | ||
name = "mydb" | ||
username = "foo" | ||
password = "foobarbaz" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
publicly_accessible = true | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0176
Check Name: RDS IAM Database Authentication Disabled
Severity: MEDIUM
Message: Instance does not have IAM Authentication enabled
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/n/a
resource "aws_db_instance" "default" { | ||
allocated_storage = 10 | ||
engine = "mysql" | ||
engine_version = "5.7" | ||
instance_class = "db.t3.micro" | ||
name = "mydb" | ||
username = "foo" | ||
password = "foobarbaz" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
publicly_accessible = true | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0177
Check Name: RDS Deletion Protection Disabled
Severity: MEDIUM
Message: Instance does not have Deletion Protection enabled
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/n/a
password = "foobarbaz" | ||
parameter_group_name = "default.mysql5.7" | ||
skip_final_snapshot = true | ||
publicly_accessible = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Aqua detected misconfiguration in your code
Misconfiguration ID: AVD-AWS-0180
Check Name: RDS Publicly Accessible
Severity: HIGH
Message: Instance has Public Access enabled
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/misconfig/n/a
No description provided.