diff --git a/.github/workflows/bridgrcrew.yml b/.github/workflows/bridgrcrew.yml new file mode 100644 index 0000000..61749ab --- /dev/null +++ b/.github/workflows/bridgrcrew.yml @@ -0,0 +1,9 @@ +steps: + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Run Bridgecrew + id: Bridgecrew + uses: bridgecrewio/bridgecrew-action@master + with: + api-key: ${{ secrets.BC_API_KEY }} diff --git a/README.md b/README.md index 2be2207..c71ee6b 100644 --- a/README.md +++ b/README.md @@ -75,72 +75,85 @@ If you need direct support you can contact us at [info@bridgecrew.io](mailto:inf ## Existing vulnerabilities (Auto-Generated) +| | check_id | file | resource | check_name | guideline | +|----|-------------|----------------------------------|---------------------------|-----------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------| +| 0 | CKV_AWS_21 | /terraform/simple_instance/s3.tf | aws_s3_bucket.docking_bay | Ensure all data stored in the S3 bucket have versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | +| 1 | CKV_AWS_18 | /terraform/simple_instance/s3.tf | aws_s3_bucket.docking_bay | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | +| 2 | CKV_AWS_145 | /terraform/simple_instance/s3.tf | aws_s3_bucket.docking_bay | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default | +| 3 | CKV_AWS_144 | /terraform/simple_instance/s3.tf | aws_s3_bucket.docking_bay | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled | +| 4 | CKV_AWS_19 | /terraform/simple_instance/s3.tf | aws_s3_bucket.docking_bay | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 5 | CKV2_AWS_6 | /terraform/simple_instance/s3.tf | aws_s3_bucket.docking_bay | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached | + + +--- + + | | check_id | file | resource | check_name | guideline | |----|-------------|---------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------| -| 0 | CKV_AWS_46 | /cfngoat.yaml | AWS::EC2::Instance.EC2Instance | Ensure no hard-coded secrets exist in EC2 user data | https://docs.bridgecrew.io/docs/bc_aws_secrets_1 | -| 1 | CKV_AWS_3 | /cfngoat.yaml | AWS::EC2::Volume.WebHostStorage | Ensure all data stored in the EBS is securely encrypted | https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume | -| 2 | CKV_AWS_24 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | https://docs.bridgecrew.io/docs/networking_1-port-security | +| 0 | CKV_AWS_58 | /eks.yaml | AWS::EKS::Cluster.EKSCluster | Ensure EKS Cluster has Secrets Encryption Enabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3 | +| 1 | CKV_AWS_46 | /cfngoat.yaml | AWS::EC2::Instance.EC2Instance | Ensure no hard-coded secrets exist in EC2 user data | https://docs.bridgecrew.io/docs/bc_aws_secrets_1 | +| 2 | CKV_AWS_3 | /cfngoat.yaml | AWS::EC2::Volume.WebHostStorage | Ensure all data stored in the EBS is securely encrypted | https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume | | 3 | CKV_AWS_23 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 | -| 4 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | -| 5 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | +| 4 | CKV_AWS_24 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | https://docs.bridgecrew.io/docs/networking_1-port-security | +| 5 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | | 6 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 7 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | -| 8 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | -| 9 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 10 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | -| 11 | CKV_AWS_107 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow credentials exposure | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure | -| 12 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint | -| 13 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration | -| 14 | CKV_AWS_109 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow permissions management without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint | -| 15 | CKV_AWS_40 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1 | -| 16 | CKV_AWS_110 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow privilege escalation | https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation | -| 17 | CKV_AWS_7 | /cfngoat.yaml | AWS::KMS::Key.LogsKey | Ensure rotation for customer created CMKs is enabled | https://docs.bridgecrew.io/docs/logging_8 | -| 18 | CKV_AWS_16 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in the RDS is securely encrypted at rest | https://docs.bridgecrew.io/docs/general_4 | +| 7 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | +| 8 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | +| 9 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | +| 10 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 11 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 12 | CKV_AWS_110 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow privilege escalation | https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation | +| 13 | CKV_AWS_107 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow credentials exposure | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure | +| 14 | CKV_AWS_40 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1 | +| 15 | CKV_AWS_109 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow permissions management without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint | +| 16 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint | +| 17 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration | +| 18 | CKV_AWS_7 | /cfngoat.yaml | AWS::KMS::Key.LogsKey | Ensure rotation for customer created CMKs is enabled | https://docs.bridgecrew.io/docs/logging_8 | | 19 | CKV_AWS_157 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure that RDS instances have Multi-AZ enabled | https://docs.bridgecrew.io/docs/general_73 | -| 20 | CKV_AWS_17 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in RDS is not publicly accessible | https://docs.bridgecrew.io/docs/public_2 | -| 21 | CKV_AWS_23 | /cfngoat.yaml | AWS::EC2::SecurityGroup.DefaultSG | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 | -| 22 | CKV_AWS_107 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow credentials exposure | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure | -| 23 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint | -| 24 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration | -| 25 | CKV_AWS_109 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow permissions management without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint | -| 26 | CKV_AWS_116 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq | -| 27 | CKV_AWS_173 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Check encryption settings for Lambda environmental variable | https://docs.bridgecrew.io/docs/bc_aws_serverless_5 | -| 28 | CKV_AWS_45 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure no hard-coded secrets exist in lambda environment | https://docs.bridgecrew.io/docs/bc_aws_secrets_3 | -| 29 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | -| 30 | CKV_AWS_20 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket does not allow READ permissions to everyone | https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone | -| 31 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | -| 32 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 33 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | -| 34 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | -| 35 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 36 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | -| 37 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | -| 38 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | +| 20 | CKV_AWS_16 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in the RDS is securely encrypted at rest | https://docs.bridgecrew.io/docs/general_4 | +| 21 | CKV_AWS_17 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in RDS is not publicly accessible | https://docs.bridgecrew.io/docs/public_2 | +| 22 | CKV_AWS_23 | /cfngoat.yaml | AWS::EC2::SecurityGroup.DefaultSG | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 | +| 23 | CKV_AWS_107 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow credentials exposure | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure | +| 24 | CKV_AWS_109 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow permissions management without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint | +| 25 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint | +| 26 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration | +| 27 | CKV_AWS_45 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure no hard-coded secrets exist in lambda environment | https://docs.bridgecrew.io/docs/bc_aws_secrets_3 | +| 28 | CKV_AWS_173 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Check encryption settings for Lambda environmental variable | https://docs.bridgecrew.io/docs/bc_aws_serverless_5 | +| 29 | CKV_AWS_116 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq | +| 30 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | +| 31 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | +| 32 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | +| 33 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | +| 34 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | +| 35 | CKV_AWS_20 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket does not allow READ permissions to everyone | https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone | +| 36 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 37 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 38 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | | 39 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 40 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | -| 41 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | -| 42 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 43 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | -| 44 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | -| 45 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 46 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | -| 47 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | -| 48 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 49 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | -| 50 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 51 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | -| 52 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 40 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | +| 41 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning | +| 42 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | +| 43 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 44 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 45 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | +| 46 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | +| 47 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | +| 48 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | +| 49 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 50 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 51 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | +| 52 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | | 53 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 54 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | -| 55 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | -| 56 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | -| 57 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 54 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | +| 55 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 56 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | +| 57 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 | | 58 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 | -| 59 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 | -| 60 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Role.CleanupRole | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint | -| 61 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Role.CleanupRole | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration | -| 62 | CKV_AWS_116 | /cfngoat.yaml | AWS::Lambda::Function.CleanBucketFunction | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq | -| 63 | CKV_AWS_58 | /eks.yaml | AWS::EKS::Cluster.EKSCluster | Ensure EKS Cluster has Secrets Encryption Enabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3 | +| 59 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging | +| 60 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 | +| 61 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Role.CleanupRole | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint | +| 62 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Role.CleanupRole | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration | +| 63 | CKV_AWS_116 | /cfngoat.yaml | AWS::Lambda::Function.CleanBucketFunction | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq | --- diff --git a/cfngoat.yaml b/cfngoat.yaml index 638d875..7a477aa 100644 --- a/cfngoat.yaml +++ b/cfngoat.yaml @@ -44,7 +44,7 @@ Resources: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-ec2" - Key: yor_trace - Value: 595b9b79-bd1e-45fd-a297-d521ebdf15e7 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -86,7 +86,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 838685b6-8fac-42eb-9cf4-008dd36216a1 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -142,7 +142,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: d4d72008-2b73-4635-9df6-8035c8850d66 + Value: Vinay7820 - Key: git_org Value: bridgecrewio WebVPC: @@ -153,7 +153,7 @@ Resources: EnableDnsHostnames: True Tags: - Key: Name - Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-vpc" + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -184,7 +184,7 @@ Resources: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-subnet" - Key: yor_trace - Value: 4f6434ca-b2c2-4fe3-88fc-9ad969965958 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -219,7 +219,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 68c27f34-7110-458d-98b3-b9a7307638dc + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -235,7 +235,7 @@ Resources: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-igw" - Key: yor_trace - Value: 39d8202d-7126-40dd-afa0-4554eeadada4 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -271,7 +271,7 @@ Resources: - Key: git_last_modified_by Value: jonathan.jozwiak@googlemail.com - Key: yor_trace - Value: 0613f2a9-ccbb-4e77-839b-bc0a7681bd9c + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -308,7 +308,7 @@ Resources: - Key: git_last_modified_by Value: jonathan.jozwiak@googlemail.com - Key: yor_trace - Value: ebfdc86d-55a5-4df1-88fd-2f3bc869549c + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -335,7 +335,7 @@ Resources: - Key: git_last_modified_by Value: jonathan.jozwiak@googlemail.com - Key: yor_trace - Value: 077d3a3d-66bc-4fe9-8839-b59a40785234 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -355,7 +355,7 @@ Resources: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-flowlogs" - Key: yor_trace - Value: a148a687-a031-4491-8fc9-6bb78fef0572 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -388,7 +388,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 346804e2-5a21-4f1b-a8bf-f3c3fc9c7d15 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -447,7 +447,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: bd68272a-4d3b-44e6-a2f0-ad783935c332 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -492,7 +492,7 @@ Resources: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-rds" - Key: Environment - Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -524,7 +524,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 6d7cc8b8-ee12-4ad2-940c-324b6eeca646 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -557,7 +557,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 88c3fff0-8627-4e00-8e10-086c1651370a + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -590,7 +590,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 3c0704d6-7b98-472d-a6b2-c3085cb87024 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -610,7 +610,7 @@ Resources: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-rds-sg" - Key: Environment - Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}" + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -665,7 +665,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 47d128cd-8fec-4d80-a768-e5e4c133b61a + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -714,7 +714,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 35854694-8244-4717-8f50-146fbec15c61 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -864,7 +864,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 2c07712d-22f5-42be-946e-1c2e71d2e275 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -897,7 +897,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 5939cdf9-4e86-4208-80d1-095c367c2c13 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -937,7 +937,7 @@ Resources: - Key: git_last_modified_by Value: jonathan.jozwiak@googlemail.com - Key: yor_trace - Value: 509b197d-4f87-4ae1-aa43-8cca13c9e92e + Value: Vinay7820 - Key: git_org Value: bridgecrewio @@ -963,7 +963,7 @@ Resources: - Key: git_last_modified_by Value: jonathan.jozwiak@googlemail.com - Key: yor_trace - Value: 7d0b70d4-58fb-4d2d-b966-177d349932da + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -979,7 +979,7 @@ Resources: Status: Enabled Tags: - Key: Name - Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-operations" + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -1024,7 +1024,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 11266986-850e-41eb-b980-7b4d8d49f919 + Value: Vinay7820 - Key: git_org Value: bridgecrewio LogsBucket: @@ -1045,7 +1045,7 @@ Resources: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-logs" - Key: yor_trace - Value: 7c5f90f1-7102-45dc-bead-02754df64eba + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -1107,7 +1107,7 @@ Resources: - Key: git_last_modified_by Value: jonathan.jozwiak@googlemail.com - Key: yor_trace - Value: 573995a2-e3f4-43a6-847d-df474b0fc71a + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -1259,7 +1259,7 @@ Resources: - Key: git_last_modified_by Value: nimrodkor@gmail.com - Key: yor_trace - Value: 75847e0e-ba4e-46e5-8c36-cd934d666acd + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo diff --git a/eks.yaml b/eks.yaml index 3f43f02..614c477 100644 --- a/eks.yaml +++ b/eks.yaml @@ -60,7 +60,7 @@ Resources: - Key: git_last_modified_by Value: mike@bridgecrew.io - Key: yor_trace - Value: d0c28b39-b842-4803-a7b8-a4ea8056eb99 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -236,15 +236,15 @@ Resources: - Key: git_file Value: eks.yaml - Key: git_commit - Value: 52127b2051fa27ca5168b17798cd4f63723a13f1 + Value: 1aab848a22a383d185f8d0d6ed344076f636769b - Key: git_modifiers - Value: mike/nimrodkor + Value: mike - Key: git_last_modified_at - Value: "2021-08-23 07:51:59" + Value: 2020-07-15 20:22:37 - Key: git_last_modified_by - Value: nimrodkor@gmail.com + Value: mike@bridgecrew.io - Key: yor_trace - Value: 8627abe2-fcd0-47da-a257-3d190b4b4081 + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -257,7 +257,7 @@ Resources: Domain: vpc Tags: - Key: git_org - Value: bridgecrewio + Value: Vinay7820 - Key: git_repo Value: cfngoat - Key: git_file @@ -307,7 +307,7 @@ Resources: Ref: VPC Tags: - Key: Name - Value: !Sub "${AWS::StackName}-PublicSubnet02" + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo @@ -421,7 +421,7 @@ Resources: VpcId: !Ref VPC Tags: - Key: yor_trace - Value: 01a28bb3-8cc4-497e-af24-f3c445a754ce + Value: Vinay7820 - Key: git_org Value: bridgecrewio - Key: git_repo diff --git a/terraform/simple_instance/s3.tf b/terraform/simple_instance/s3.tf new file mode 100644 index 0000000..105e29c --- /dev/null +++ b/terraform/simple_instance/s3.tf @@ -0,0 +1,20 @@ +provider "aws" { + region = "us-west-2" +} + +resource "aws_s3_bucket" "docking_bay" { + bucket_prefix = "docking-bay-storage-" + + tags = { + Name = "Docking Bay" + Environment = "Dev" + git_commit = "c3011ac5495ae3809ce7794dc9249c05f46daf21" + git_file = "terraform/simple_instance/s3.tf" + git_last_modified_at = "2022-02-16 07:52:53" + git_last_modified_by = "vinay.munivenkata@gmail.com" + git_modifiers = "vinay.munivenkata" + git_org = "Vinay7820" + git_repo = "cfngoat" + yor_trace = "28958f85-4eba-4997-ab3d-2758580d3e8e" + } +}