From b71b27c11008a2efff4588491d50c0b1978fd3aa Mon Sep 17 00:00:00 2001 From: Taylor Date: Tue, 17 Dec 2024 21:48:04 -0800 Subject: [PATCH 1/2] Docs --- .../aws-general-policies/bc-aws-381.adoc | 46 +++++++++++++++ .../aws-general-policies/bc-aws-383.adoc | 46 +++++++++++++++ .../aws-networking-policies/bc-aws-378.adoc | 45 +++++++++++++++ .../aws-networking-policies/bc-aws-382.adoc | 56 +++++++++++++++++++ .../bc-azure-2-55.adoc | 44 +++++++++++++++ .../bc-azure-245.adoc | 45 +++++++++++++++ .../bc-azure-246.adoc | 45 +++++++++++++++ 7 files changed, 327 insertions(+) create mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc new file mode 100644 index 0000000000..6866ee12d3 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc @@ -0,0 +1,46 @@ +== AWS CodeGuru Reviewer repository association does not use a Customer Managed Key (CMK) + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| TBD + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AWSCodeGuruHasCMK.py[CKV_AWS_381] + +|Severity +|LOW + +|Subtype +|Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies AWS CodeGuru Reviewer repository associations that are not configured with a Customer Managed Key (CMK). Using CMK for encryption ensures that you have full control over the encryption keys, enhancing security for your repository data. Relying on default encryption options may not provide the level of security and compliance required for sensitive environments. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* aws_codegurureviewer_repository_association +* *Arguments:* kms_key_details + +To fix this issue, ensure that the `kms_key_details` block is configured with the `encryption_option` set to `CUSTOMER_MANAGED_CMK` in your Terraform configuration. + +[source,go] +---- +resource "aws_codegurureviewer_repository_association" "example" { + ... + kms_key_details { ++ encryption_option = "CUSTOMER_MANAGED_CMK" + } +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc new file mode 100644 index 0000000000..a02c6c21e9 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc @@ -0,0 +1,46 @@ +== AWS Bedrock agent is not associated with Bedrock guardrails + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| a531ce58-18f2-439b-863f-601c3ac7f7c4 + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BedrockGuardrails.py[CKV_AWS_383] + +|Severity +|LOW + +|Subtype +|Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies the AWS Bedrock agent that is not associated with Bedrock guardrails. Amazon Bedrock Guardrails provides governance and compliance controls for generative AI applications, ensuring safe and responsible model use. Associating Guardrails with the Bedrock agent is useful for implementing governance and compliance controls in generative AI applications. Not linking Guardrails to the Bedrock agent raises the risk of non-compliance and harmful AI application outputs. It is recommended that AWS Bedrock agents be associated with Bedrock guardrails to implement safeguards and prevent unwanted behavior from model responses or user messages. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* aws_bedrockagent_agent +* *Arguments:* guardrail_configuration.guardrail_identifier + +To fix this issue, ensure that the `guardrail_configuration` block in your Terraform configuration includes a valid `guardrail_identifier`. + +[source,go] +---- +resource "aws_bedrockagent_agent" "example" { + ... ++ guardrail_configuration { ++ guardrail_identifier = "your-guardrail-id" # Replace with a valid guardrail identifier ++ } +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc new file mode 100644 index 0000000000..7427b2dbe8 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc @@ -0,0 +1,45 @@ +== AWS Load Balancer uses HTTP protocol + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| TBD + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/LBTargetGroup.yaml[CKV_AWS_378] + +|Severity +|MEDIUM + +|Subtype +|Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies AWS Load Balancer Target Groups or Listeners configured to use the HTTP protocol. Using HTTP instead of HTTPS for load balancer communication can expose sensitive traffic to interception and compromise. It is a security best practice to ensure that AWS Load Balancers use HTTPS to encrypt data in transit. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* aws_lb_target_group, aws_alb_target_group, aws_lb_listener, aws_alb_listener +* *Arguments:* protocol + +To fix this issue, update the `protocol` attribute for `aws_lb_target_group`, `aws_alb_target_group`, `aws_lb_listener`, or `aws_alb_listener` to use `HTTPS` instead of `HTTP`. + +[source,go] +---- +resource "aws_lb_target_group" "example" { + ... +- protocal = "HTTP" ++ protocol = "HTTPS" +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc new file mode 100644 index 0000000000..f5884c3d20 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc @@ -0,0 +1,56 @@ +== AWS Security Group allows unrestricted egress traffic + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| TBD + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedEgressAny.py[CKV_AWS_382] + +|Severity +|LOW + +|Subtype +|Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies AWS Security Groups that allow unrestricted egress traffic. Allowing unrestricted outbound traffic can lead to data exfiltration and other security risks. As a best practice, egress rules should be explicitly defined to limit outbound traffic to known, trusted destinations. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* aws_security_group +* *Arguments:* egress + +To fix this issue, ensure that the `egress` block in your Terraform configuration is explicitly defined with restricted outbound traffic rules. + +[source,go] +---- +resource "aws_security_group" "example" { + ... +- egress { +- from_port = 0 +- to_port = 0 +- protocol = "-1" +- cidr_blocks = ["0.0.0.0/0"] +- } + ++ egress { ++ from_port = 443 ++ to_port = 443 ++ protocol = "tcp" ++ cidr_blocks = ["10.0.0.0/16"] # Restrict to known, trusted destination ++ } +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc new file mode 100644 index 0000000000..317d9eb604 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc @@ -0,0 +1,44 @@ +== Azure Spring Cloud app end-to-end TLS is disabled + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 424a5e77-8997-47d9-b0e0-daaca8b81b01 + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudTLSDisabled.yaml[CKV2_AZURE_55] + +|Severity +|LOW + +|Subtype +|Run,Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies Azure Spring Cloud apps in which end-to-end TLS is disabled. Enabling end-to-end TLS/SSL will secure traffic from ingress controller to apps. After you enable end-to-end TLS and load a cert from the key vault, all communications within Azure Spring Cloud are secured with TLS. As a security best practice, it is recommended to have an end-to-end TLS to secure Spring Cloud apps traffic. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* azurerm_spring_cloud_service, azurerm_spring_cloud_app +* *Arguments:* tls_enabled + +To fix this issue, ensure that the `tls_enabled` attribute is set to `true` in your Terraform configuration for Azure Spring Cloud applications. + +[source,go] +---- +resource "azurerm_spring_cloud_app" "example" { + ... ++ tls_enabled = true +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc new file mode 100644 index 0000000000..fce98217dc --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc @@ -0,0 +1,45 @@ +== Azure Container Instance is not configured with virtual network + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| d480c1d2-06b3-4e53-81c9-a21ed83cb5fc + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstancePublicIPAddressType.py[CKV_AZURE_245] + +|Severity +|LOW + +|Subtype +|Run,Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies Azure Container Instances (ACI) that are not configured with a virtual network. Making container instances public makes an internet routable network. By deploying container instances into an Azure virtual network, your containers can communicate securely with other resources in the virtual network. So it is recommended to configure all your container instances within a virtual network. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* azurerm_container_group +* *Arguments:* ip_address_type + +To fix this issue, ensure that the `ip_address_type` attribute is set to `Private` or `None` in your Terraform configuration. + +[source,go] +---- +resource "azurerm_container_group" "example" { + ... +- ip_address_type = "Public" ++ ip_address_type = "Private" +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc new file mode 100644 index 0000000000..f16935231e --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc @@ -0,0 +1,45 @@ +== Azure AKS cluster HTTP application routing enabled + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 0429670c-5d2d-4d0f-ab33-59eb5e000305 + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KubernetesClusterHTTPApplicationRouting.py[CKV_AZURE_246] + +|Severity +|LOW + +|Subtype +|Run,Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +HTTP application routing configures an Ingress controller in your AKS cluster. As applications are deployed, the solution also creates publicly accessible DNS names for application endpoints. While this makes it easy to access applications that are deployed to your Azure AKS cluster, this add-on is not recommended for production use. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* azurerm_kubernetes_cluster +* *Arguments:* http_application_routing_enabled + +To fix this issue, ensure that the `http_application_routing_enabled` attribute is set to `false` in your Terraform configuration. + +[source,go] +---- +resource "azurerm_kubernetes_cluster" "example" { + ... +- http_application_routing_enabled = true ++ http_application_routing_enabled = false +} +---- From babf19245e3c52e7de485d13dc7ab7faa1a4dec4 Mon Sep 17 00:00:00 2001 From: Taylor Date: Sun, 5 Jan 2025 17:46:39 -0800 Subject: [PATCH 2/2] Bakst feedback and IDs and summaries --- .../aws-general-policies/aws-general-policies.adoc | 8 ++++++++ .../aws-general-policies/bc-aws-381.adoc | 8 +++++--- .../aws-general-policies/bc-aws-383.adoc | 6 ++++-- .../aws-networking-policies.adoc | 8 ++++++++ .../aws-networking-policies/bc-aws-378.adoc | 8 +++++--- .../aws-networking-policies/bc-aws-382.adoc | 8 +++++--- .../azure-networking-policies.adoc | 12 ++++++++++++ .../azure-networking-policies/bc-azure-2-55.adoc | 6 ++++-- .../azure-networking-policies/bc-azure-245.adoc | 6 ++++-- .../azure-networking-policies/bc-azure-246.adoc | 6 ++++-- .../enterprise-edition/policy-reference/book.yml | 14 ++++++++++++++ 11 files changed, 73 insertions(+), 17 deletions(-) diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc index 1081c3d1c6..efd41a3f6a 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/aws-general-policies.adoc @@ -453,6 +453,10 @@ | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py[CKV_AWS_210] |LOW +|xref:bc-aws-383.adoc[AWS Bedrock agent is not associated with Bedrock guardrails] +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BedrockGuardrails.py[CKV_AWS_383] +|LOW + |xref:ensure-aws-cloudfront-distribution-is-enabled.adoc[AWS Cloudfront distribution is disabled] | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/CloudfrontDistributionEnabled.py[CKV_AWS_216] |LOW @@ -493,6 +497,10 @@ | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml[CKV2_AWS_37] |LOW +|xref:bc-aws-381.adoc[AWS CodeGuru Reviewer repository association does not use a Customer Managed Key (CMK)] +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AWSCodeGuruHasCMK.py[CKV_AWS_381] +|LOW + |xref:ensure-aws-codepipeline-artifactstore-is-not-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk.adoc[AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)] | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/CodePipelineArtifactsEncrypted.py[CKV_AWS_219] |LOW diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc index 6866ee12d3..2b0ef175d7 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc @@ -6,7 +6,7 @@ [cols="1,1"] |=== |Prisma Cloud Policy ID -| TBD +| 60205a28-8450-413c-a1e5-706f226cff79 |Checkov ID | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AWSCodeGuruHasCMK.py[CKV_AWS_381] @@ -24,7 +24,7 @@ === Description -This policy identifies AWS CodeGuru Reviewer repository associations that are not configured with a Customer Managed Key (CMK). Using CMK for encryption ensures that you have full control over the encryption keys, enhancing security for your repository data. Relying on default encryption options may not provide the level of security and compliance required for sensitive environments. +This policy detects whether AWS CodeGuru Reviewer repository associations use Customer Managed Key (CMK) for encryption. CMKs empower users with granular control over key management, including policy setting, usage permissions, and detailed monitoring of access and key rotations. Default encryption options may not provide the level of security and compliance required for sensitive environments. Enforcing the use of CMKs for AWS CodeGuru Reviewer repository associations enables organizations to maintain strict access control and auditing, strengthening overall security posture. === Fix - Buildtime @@ -33,7 +33,9 @@ This policy identifies AWS CodeGuru Reviewer repository associations that are no * *Resource:* aws_codegurureviewer_repository_association * *Arguments:* kms_key_details -To fix this issue, ensure that the `kms_key_details` block is configured with the `encryption_option` set to `CUSTOMER_MANAGED_CMK` in your Terraform configuration. +To mitigate this issue, ensure that the `encryption_option` parameter in the `kms_key_details` block is set to `CUSTOMER_MANAGED_CMK`. This ensures that a CMK is used for encryption. + +Example: [source,go] ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc index a02c6c21e9..9b8ebe3987 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc @@ -24,7 +24,7 @@ === Description -This policy identifies the AWS Bedrock agent that is not associated with Bedrock guardrails. Amazon Bedrock Guardrails provides governance and compliance controls for generative AI applications, ensuring safe and responsible model use. Associating Guardrails with the Bedrock agent is useful for implementing governance and compliance controls in generative AI applications. Not linking Guardrails to the Bedrock agent raises the risk of non-compliance and harmful AI application outputs. It is recommended that AWS Bedrock agents be associated with Bedrock guardrails to implement safeguards and prevent unwanted behavior from model responses or user messages. +This policy detects whether the AWS Bedrock agent is associated with Bedrock guardrails. Amazon Bedrock Guardrails provides crucial governance and compliance controls for generative AI applications, ensuring their safe and responsible use. Associating Guardrails with the Bedrock agent is essential for enforcing these controls, mitigating the risk of non-compliance and potentially harmful outputs. Not associating Guardrails may expose organizations to various risks, including generating biased, inappropriate, or harmful content. By linking Guardrails, organizations can implement safeguards and prevent unwanted behavior in model responses or user messages. === Fix - Buildtime @@ -33,7 +33,9 @@ This policy identifies the AWS Bedrock agent that is not associated with Bedrock * *Resource:* aws_bedrockagent_agent * *Arguments:* guardrail_configuration.guardrail_identifier -To fix this issue, ensure that the `guardrail_configuration` block in your Terraform configuration includes a valid `guardrail_identifier`. +To mitigate this issue, configure the `guardrail_configuration` block in your Terraform configuration to include a valid `guardrail_identifier` argument. This ensures that the appropriate guardrails are associated with the Bedrock agent. + +Example: [source,go] ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/aws-networking-policies.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/aws-networking-policies.adoc index e3ec31ed91..3c4aa56a94 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/aws-networking-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/aws-networking-policies.adoc @@ -53,6 +53,10 @@ | https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/ALBListenerHTTPS.py[CKV_AWS_2] |MEDIUM +|xref:bc-aws-378.adoc[AWS Load Balancer uses HTTP protocol] +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/LBTargetGroup.yaml[CKV_AWS_378] +|MEDIUM + |xref:bc-aws-2-69.adoc[AWS RDS database instance not configured with encryption in transit] | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEncryptionInTransit.yaml[CKV2_AWS_69] |MEDIUM @@ -185,6 +189,10 @@ | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/aws/SageMakerInternetAccessDisabled.py[CKV_AWS_122] |LOW +|xref:bc-aws-382.adoc[AWS Security Group allows unrestricted egress traffic] +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedEgressAny.py[CKV_AWS_382] +|LOW + |xref:ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.adoc[AWS security groups allow ingress from 0.0.0.0/0 to port 80] | https://github.com/bridgecrewio/checkov/tree/master/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py[CKV_AWS_260] |LOW diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc index 7427b2dbe8..63a617216c 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc @@ -6,7 +6,7 @@ [cols="1,1"] |=== |Prisma Cloud Policy ID -| TBD +| 85b8e37a-a9af-4954-b933-30cc29d11f36 |Checkov ID | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/LBTargetGroup.yaml[CKV_AWS_378] @@ -24,7 +24,7 @@ === Description -This policy identifies AWS Load Balancer Target Groups or Listeners configured to use the HTTP protocol. Using HTTP instead of HTTPS for load balancer communication can expose sensitive traffic to interception and compromise. It is a security best practice to ensure that AWS Load Balancers use HTTPS to encrypt data in transit. +This policy detects whether AWS Load Balancer Target Groups or Listeners use the HTTP protocol. Using HTTP instead of HTTPS for load balancer communication can expose sensitive traffic to eavesdropping and compromise. It is a security best practice to always configure AWS Load Balancers to use HTTPS, which ensures data encryption in transit and prevents the exposure of sensitive information. === Fix - Buildtime @@ -33,7 +33,9 @@ This policy identifies AWS Load Balancer Target Groups or Listeners configured t * *Resource:* aws_lb_target_group, aws_alb_target_group, aws_lb_listener, aws_alb_listener * *Arguments:* protocol -To fix this issue, update the `protocol` attribute for `aws_lb_target_group`, `aws_alb_target_group`, `aws_lb_listener`, or `aws_alb_listener` to use `HTTPS` instead of `HTTP`. +To remediate this issue, update the protocol attribute to use HTTPS instead of HTTP for the following AWS Load Balancer components: aws_lb_target_group, aws_alb_target_group, aws_lb_listener, and aws_alb_listener. + +Example: [source,go] ---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc index f5884c3d20..e99465746e 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc @@ -6,7 +6,7 @@ [cols="1,1"] |=== |Prisma Cloud Policy ID -| TBD +| dcc171fa-1582-4c80-a20e-ecad6e0c058f |Checkov ID | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedEgressAny.py[CKV_AWS_382] @@ -24,7 +24,7 @@ === Description -This policy identifies AWS Security Groups that allow unrestricted egress traffic. Allowing unrestricted outbound traffic can lead to data exfiltration and other security risks. As a best practice, egress rules should be explicitly defined to limit outbound traffic to known, trusted destinations. +This policy detects whether AWS Security Groups allow unrestricted egress (outbound) traffic. Permitting unrestricted outbound traffic from your resources can increase the risk of data exfiltration and other security vulnerabilities. As a best practice, explicitly define egress rules in your Security Groups to limit outbound traffic to known and trusted destinations only. === Fix - Buildtime @@ -33,7 +33,9 @@ This policy identifies AWS Security Groups that allow unrestricted egress traffi * *Resource:* aws_security_group * *Arguments:* egress -To fix this issue, ensure that the `egress` block in your Terraform configuration is explicitly defined with restricted outbound traffic rules. +To mitigate this issue, for Security Groups, explicitly define restricted outbound traffic rules within the egress block of your Terraform configuration. + +Example: [source,go] ---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azure-networking-policies.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azure-networking-policies.adoc index 997fa548ed..a1eba1e9c5 100644 --- a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azure-networking-policies.adoc +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azure-networking-policies.adoc @@ -161,6 +161,10 @@ | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py[CKV_AZURE_122] |LOW +|xref:bc-azure-246.adoc[Azure AKS cluster HTTP application routing enabled] +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KubernetesClusterHTTPApplicationRouting.py[CKV_AZURE_246] +|LOW + |xref:bc-azure-143.adoc[Azure AKS cluster nodes have public IP addresses] | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py[CKV_AZURE_143] |LOW @@ -205,6 +209,10 @@ | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py[CKV_AZURE_98] |LOW +|xref:bc-azure-245.adoc[Azure Container Instance is not configured with virtual network] +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstancePublicIPAddressType.py[CKV_AZURE_245] +|LOW + |xref:ensure-that-azure-cosmos-db-disables-public-network-access.adoc[Azure Cosmos DB enables public network access] | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py[CKV_AZURE_101] |LOW @@ -273,6 +281,10 @@ | https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py[CKV_AZURE_162] |LOW +|xref:bc-azure-2-55.adoc[Azure Spring Cloud app end-to-end TLS is disabled] +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudTLSDisabled.yaml[CKV2_AZURE_55] +|LOW + |xref:enable-trusted-microsoft-services-for-storage-account-access.adoc[Azure Storage Account 'Trusted Microsoft Services' access not enabled] | https://github.com/bridgecrewio/checkov/tree/master/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py[CKV_AZURE_36] |LOW diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc index 317d9eb604..754888527e 100644 --- a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc @@ -24,7 +24,7 @@ === Description -This policy identifies Azure Spring Cloud apps in which end-to-end TLS is disabled. Enabling end-to-end TLS/SSL will secure traffic from ingress controller to apps. After you enable end-to-end TLS and load a cert from the key vault, all communications within Azure Spring Cloud are secured with TLS. As a security best practice, it is recommended to have an end-to-end TLS to secure Spring Cloud apps traffic. +This policy detects whether Azure Spring Cloud apps disable end-to-end TLS encryption. Disabling end-to-end TLS leaves your application traffic vulnerable, as data transmitted within your Azure Spring Cloud environment may be exposed to unauthorized access and interception. As a security best practice, it is strongly recommended to enable end-to-end TLS to protect your Spring Cloud application traffic. Enabling end-to-end TLS secures all traffic flowing between the ingress controller and your applications. === Fix - Buildtime @@ -33,7 +33,9 @@ This policy identifies Azure Spring Cloud apps in which end-to-end TLS is disabl * *Resource:* azurerm_spring_cloud_service, azurerm_spring_cloud_app * *Arguments:* tls_enabled -To fix this issue, ensure that the `tls_enabled` attribute is set to `true` in your Terraform configuration for Azure Spring Cloud applications. +To mitigate this issue, set the `tls_enabled` attribute to true within your Terraform configurations for Azure Spring Cloud applications. + +Example: [source,go] ---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc index fce98217dc..822d87c8b7 100644 --- a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc @@ -24,7 +24,7 @@ === Description -This policy identifies Azure Container Instances (ACI) that are not configured with a virtual network. Making container instances public makes an internet routable network. By deploying container instances into an Azure virtual network, your containers can communicate securely with other resources in the virtual network. So it is recommended to configure all your container instances within a virtual network. +This policy detects whether Azure Container Instances (ACI) are configured with a virtual network. When ACIs are not deployed within a virtual network, they become publicly accessible, creating a security risk as they are directly exposed to the internet. To mitigate this risk, it is strongly recommended to configure all your container instances within a virtual network. By doing so, you establish a secure and isolated environment where your containers can communicate securely with other resources within the virtual network, preventing potential unauthorized access. === Fix - Buildtime @@ -33,7 +33,9 @@ This policy identifies Azure Container Instances (ACI) that are not configured w * *Resource:* azurerm_container_group * *Arguments:* ip_address_type -To fix this issue, ensure that the `ip_address_type` attribute is set to `Private` or `None` in your Terraform configuration. +To remediate this issue, set the `ip_address_type`` attribute to Private or None in your Terraform configuration. + +Example: [source,go] ---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc index f16935231e..ba8a2b9656 100644 --- a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc @@ -24,7 +24,7 @@ === Description -HTTP application routing configures an Ingress controller in your AKS cluster. As applications are deployed, the solution also creates publicly accessible DNS names for application endpoints. While this makes it easy to access applications that are deployed to your Azure AKS cluster, this add-on is not recommended for production use. +This policy detects whether ingress controllers in AKS clusters are configured to allow HTTP application routing. While convenient for development and testing within your AKS clusters, enabling HTTP application routing for production deployments can introduce security risks. Because publicly accessible DNS names are automatically created for application endpoints, using HTTP instead of HTTPS for these endpoints could expose sensitive data, as HTTP traffic is not encrypted. === Fix - Buildtime @@ -33,7 +33,9 @@ HTTP application routing configures an Ingress controller in your AKS cluster. A * *Resource:* azurerm_kubernetes_cluster * *Arguments:* http_application_routing_enabled -To fix this issue, ensure that the `http_application_routing_enabled` attribute is set to `false` in your Terraform configuration. +To mitigate this issue, set the `http_application_routing_enabled`` attribute to false in your Terraform configuration. + +Example: [source,go] ---- diff --git a/docs/en/enterprise-edition/policy-reference/book.yml b/docs/en/enterprise-edition/policy-reference/book.yml index d885b16a59..3972dd57cc 100644 --- a/docs/en/enterprise-edition/policy-reference/book.yml +++ b/docs/en/enterprise-edition/policy-reference/book.yml @@ -627,6 +627,10 @@ topics: file: bc-aws-372.adoc - name: Bedrock Agent not encrypted with Customer Master Key (CMK) file: bc-aws-373.adoc + - name: AWS CodeGuru Reviewer repository association does not use a Customer Managed Key (CMK) + file: bc-aws-381.adoc + - name: AWS Bedrock agent is not associated with Bedrock guardrails + file: bc-aws-383.adoc - name: Elastisearch Policies dir: elastisearch-policies topics: @@ -896,6 +900,10 @@ topics: file: bc-aws-2-71.adoc - name: AWS CloudFront origin protocol policy does not enforce HTTPS-only file: bc-aws-2-72.adoc + - name: AWS Load Balancer uses HTTP protocol + file: bc-aws-378.adoc + - name: AWS Security Group allows unrestricted egress traffic + file: bc-aws-382.adoc - name: Public Policies dir: public-policies topics: @@ -1492,6 +1500,12 @@ topics: file: bc-azure-2-49.adoc - name: Azure Machine learning workspace is not configured with private endpoint file: bc-azure-239.adoc + - name: Azure Spring Cloud app end-to-end TLS is disabled + file: bc-azure-2-55.adoc + - name: Azure Container Instance is not configured with virtual network + file: bc-azure-245.adoc + - name: Azure AKS cluster HTTP application routing enabled + file: bc-azure-246.adoc - name: Azure Secrets Policies dir: azure-secrets-policies topics: