Merge pull request #1037 from tsmithv11/build-jan-24

Adding docs for December build policies
hlxsites · Jan 16, 2025 · 0dc9b5a · 0dc9b5a
2 parents 33c5067 + babf192
commit 0dc9b5a
Show file tree

Hide file tree

Showing 11 changed files with 383 additions and 0 deletions.
diff --git a/...on/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc b/...on/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc
@@ -453,6 +453,10 @@
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py[CKV_AWS_210]
 |LOW
 
+|xref:bc-aws-383.adoc[AWS Bedrock agent is not associated with Bedrock guardrails]
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BedrockGuardrails.py[CKV_AWS_383]
+|LOW
+
 |xref:ensure-aws-cloudfront-distribution-is-enabled.adoc[AWS Cloudfront distribution is disabled]
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/CloudfrontDistributionEnabled.py[CKV_AWS_216]
 |LOW
@@ -493,6 +497,10 @@
 | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml[CKV2_AWS_37]
 |LOW
 
+|xref:bc-aws-381.adoc[AWS CodeGuru Reviewer repository association does not use a Customer Managed Key (CMK)]
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AWSCodeGuruHasCMK.py[CKV_AWS_381]
+|LOW
+
 |xref:ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.adoc[AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)]
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/CodePipelineArtifactsEncrypted.py[CKV_AWS_219]
 |LOW

diff --git a/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc b/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc
@@ -0,0 +1,48 @@
+== AWS CodeGuru Reviewer repository association does not use a Customer Managed Key (CMK)
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| 60205a28-8450-413c-a1e5-706f226cff79
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AWSCodeGuruHasCMK.py[CKV_AWS_381]
+
+|Severity
+|LOW
+
+|Subtype
+|Build
+
+|Frameworks
+|Terraform,Terraform Plan
+
+|===
+
+=== Description
+
+This policy detects whether AWS CodeGuru Reviewer repository associations use Customer Managed Key (CMK) for encryption. CMKs empower users with granular control over key management, including policy setting, usage permissions, and detailed monitoring of access and key rotations. Default encryption options may not provide the level of security and compliance required for sensitive environments. Enforcing the use of CMKs for AWS CodeGuru Reviewer repository associations enables organizations to maintain strict access control and auditing, strengthening overall security posture.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* aws_codegurureviewer_repository_association
+* *Arguments:* kms_key_details
+
+To mitigate this issue, ensure that the `encryption_option` parameter in the `kms_key_details` block is set to `CUSTOMER_MANAGED_CMK`. This ensures that a CMK is used for encryption.
+
+Example:
+
+[source,go]
+----
+resource "aws_codegurureviewer_repository_association" "example" {
+  ...
+  kms_key_details {
++    encryption_option = "CUSTOMER_MANAGED_CMK"
+  }
+}
+----
diff --git a/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc b/...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc
@@ -0,0 +1,48 @@
+== AWS Bedrock agent is not associated with Bedrock guardrails
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| a531ce58-18f2-439b-863f-601c3ac7f7c4
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BedrockGuardrails.py[CKV_AWS_383]
+
+|Severity
+|LOW
+
+|Subtype
+|Build
+
+|Frameworks
+|Terraform,Terraform Plan
+
+|===
+
+=== Description
+
+This policy detects whether the AWS Bedrock agent is associated with Bedrock guardrails. Amazon Bedrock Guardrails provides crucial governance and compliance controls for generative AI applications, ensuring their safe and responsible use. Associating Guardrails with the Bedrock agent is essential for enforcing these controls, mitigating the risk of non-compliance and potentially harmful outputs. Not associating Guardrails may expose organizations to various risks, including generating biased, inappropriate, or harmful content. By linking Guardrails, organizations can implement safeguards and prevent unwanted behavior in model responses or user messages.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* aws_bedrockagent_agent
+* *Arguments:* guardrail_configuration.guardrail_identifier
+
+To mitigate this issue, configure the `guardrail_configuration` block in your Terraform configuration to include a valid `guardrail_identifier` argument. This ensures that the appropriate guardrails are associated with the Bedrock agent.
+
+Example:
+
+[source,go]
+----
+resource "aws_bedrockagent_agent" "example" {
+  ...
++  guardrail_configuration {
++    guardrail_identifier = "your-guardrail-id"  # Replace with a valid guardrail identifier
++  }
+}
+----
diff --git a/...icy-reference/aws-policies/aws-networking-policies/aws-networking-policies.adoc b/...icy-reference/aws-policies/aws-networking-policies/aws-networking-policies.adoc
@@ -53,6 +53,10 @@
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ALBListenerHTTPS.py[CKV_AWS_2]
 |MEDIUM
 
+|xref:bc-aws-378.adoc[AWS Load Balancer uses HTTP protocol]
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/LBTargetGroup.yaml[CKV_AWS_378]
+|MEDIUM
+
 |xref:bc-aws-2-69.adoc[AWS RDS database instance not configured with encryption in transit]
 | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEncryptionInTransit.yaml[CKV2_AWS_69]
 |MEDIUM
@@ -185,6 +189,10 @@
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/SageMakerInternetAccessDisabled.py[CKV_AWS_122]
 |LOW
 
+|xref:bc-aws-382.adoc[AWS Security Group allows unrestricted egress traffic]
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedEgressAny.py[CKV_AWS_382]
+|LOW
+
 |xref:ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.adoc[AWS security groups allow ingress from 0.0.0.0/0 to port 80]
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py[CKV_AWS_260]
 |LOW

diff --git a/...e-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc b/...e-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc
@@ -0,0 +1,47 @@
+== AWS Load Balancer uses HTTP protocol
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| 85b8e37a-a9af-4954-b933-30cc29d11f36
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/LBTargetGroup.yaml[CKV_AWS_378]
+
+|Severity
+|MEDIUM
+
+|Subtype
+|Build
+
+|Frameworks
+|Terraform,Terraform Plan
+
+|===
+
+=== Description
+
+This policy detects whether AWS Load Balancer Target Groups or Listeners use the HTTP protocol. Using HTTP instead of HTTPS for load balancer communication can expose sensitive traffic to eavesdropping and compromise. It is a security best practice to always configure AWS Load Balancers to use HTTPS, which ensures data encryption in transit and prevents the exposure of sensitive information.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* aws_lb_target_group, aws_alb_target_group, aws_lb_listener, aws_alb_listener
+* *Arguments:* protocol
+
+To remediate this issue, update the protocol attribute to use HTTPS instead of HTTP for the following AWS Load Balancer components: aws_lb_target_group, aws_alb_target_group, aws_lb_listener, and aws_alb_listener.
+
+Example:
+
+[source,go]
+----
+resource "aws_lb_target_group" "example" {
+  ...
+-  protocal    = "HTTP"
++  protocol    = "HTTPS"
+}
+----
diff --git a/...e-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc b/...e-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc
@@ -0,0 +1,58 @@
+== AWS Security Group allows unrestricted egress traffic
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| dcc171fa-1582-4c80-a20e-ecad6e0c058f
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedEgressAny.py[CKV_AWS_382]
+
+|Severity
+|LOW
+
+|Subtype
+|Build
+
+|Frameworks
+|Terraform,Terraform Plan
+
+|===
+
+=== Description
+
+This policy detects whether AWS Security Groups allow unrestricted egress (outbound) traffic. Permitting unrestricted outbound traffic from your resources can increase the risk of data exfiltration and other security vulnerabilities. As a best practice, explicitly define egress rules in your Security Groups to limit outbound traffic to known and trusted destinations only.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* aws_security_group
+* *Arguments:* egress
+
+To mitigate this issue, for Security Groups, explicitly define restricted outbound traffic rules within the egress block of your Terraform configuration.
+
+Example:
+
+[source,go]
+----
+resource "aws_security_group" "example" {
+  ...
+-  egress {
+-    from_port   = 0
+-    to_port     = 0
+-    protocol    = "-1"
+-    cidr_blocks = ["0.0.0.0/0"]
+-  }
+
++  egress {
++    from_port   = 443
++    to_port     = 443
++    protocol    = "tcp"
++    cidr_blocks = ["10.0.0.0/16"]  # Restrict to known, trusted destination
++  }
+}
+----
diff --git a/...ference/azure-policies/azure-networking-policies/azure-networking-policies.adoc b/...ference/azure-policies/azure-networking-policies/azure-networking-policies.adoc
@@ -161,6 +161,10 @@
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py[CKV_AZURE_122]
 |LOW
 
+|xref:bc-azure-246.adoc[Azure AKS cluster HTTP application routing enabled]
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KubernetesClusterHTTPApplicationRouting.py[CKV_AZURE_246]
+|LOW
+
 |xref:bc-azure-143.adoc[Azure AKS cluster nodes have public IP addresses]
 | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py[CKV_AZURE_143]
 |LOW
@@ -205,6 +209,10 @@
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py[CKV_AZURE_98]
 |LOW
 
+|xref:bc-azure-245.adoc[Azure Container Instance is not configured with virtual network]
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstancePublicIPAddressType.py[CKV_AZURE_245]
+|LOW
+
 |xref:ensure-that-azure-cosmos-db-disables-public-network-access.adoc[Azure Cosmos DB enables public network access]
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py[CKV_AZURE_101]
 |LOW
@@ -273,6 +281,10 @@
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py[CKV_AZURE_162]
 |LOW
 
+|xref:bc-azure-2-55.adoc[Azure Spring Cloud app end-to-end TLS is disabled]
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudTLSDisabled.yaml[CKV2_AZURE_55]
+|LOW
+
 |xref:enable-trusted-microsoft-services-for-storage-account-access.adoc[Azure Storage Account 'Trusted Microsoft Services' access not enabled]
 | https://github.com/bridgecrewio/checkov/tree/master/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py[CKV_AZURE_36]
 |LOW

diff --git a/...on/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc b/...on/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc
@@ -0,0 +1,46 @@
+== Azure Spring Cloud app end-to-end TLS is disabled
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| 424a5e77-8997-47d9-b0e0-daaca8b81b01
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudTLSDisabled.yaml[CKV2_AZURE_55]
+
+|Severity
+|LOW
+
+|Subtype
+|Run,Build
+
+|Frameworks
+|Terraform,Terraform Plan
+
+|===
+
+=== Description
+
+This policy detects whether Azure Spring Cloud apps disable end-to-end TLS encryption. Disabling end-to-end TLS leaves your application traffic vulnerable, as data transmitted within your Azure Spring Cloud environment may be exposed to unauthorized access and interception. As a security best practice, it is strongly recommended to enable end-to-end TLS to protect your Spring Cloud application traffic. Enabling end-to-end TLS secures all traffic flowing between the ingress controller and your applications.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* azurerm_spring_cloud_service, azurerm_spring_cloud_app
+* *Arguments:* tls_enabled
+
+To mitigate this issue, set the `tls_enabled` attribute to true within your Terraform configurations for Azure Spring Cloud applications.
+
+Example:
+
+[source,go]
+----
+resource "azurerm_spring_cloud_app" "example" {
+  ...
++ tls_enabled         = true
+}
+----
diff --git a/...ion/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc b/...ion/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc
@@ -0,0 +1,47 @@
+== Azure Container Instance is not configured with virtual network
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| d480c1d2-06b3-4e53-81c9-a21ed83cb5fc
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstancePublicIPAddressType.py[CKV_AZURE_245]
+
+|Severity
+|LOW
+
+|Subtype
+|Run,Build
+
+|Frameworks
+|Terraform,Terraform Plan
+
+|===
+
+=== Description
+
+This policy detects whether Azure Container Instances (ACI) are configured with a virtual network. When ACIs are not deployed within a virtual network, they become publicly accessible, creating a security risk as they are directly exposed to the internet. To mitigate this risk, it is strongly recommended to configure all your container instances within a virtual network. By doing so, you establish a secure and isolated environment where your containers can communicate securely with other resources within the virtual network, preventing potential unauthorized access.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* azurerm_container_group
+* *Arguments:* ip_address_type
+
+To remediate this issue, set the `ip_address_type`` attribute to Private or None in your Terraform configuration.
+
+Example:
+
+[source,go]
+----
+resource "azurerm_container_group" "example" {
+  ...
+-  ip_address_type = "Public"
++  ip_address_type = "Private"
+}
+----