Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable tfsec pre-commit hook #42

Open
RothAndrew opened this issue Jan 24, 2023 · 2 comments
Open

Enable tfsec pre-commit hook #42

RothAndrew opened this issue Jan 24, 2023 · 2 comments

Comments

@RothAndrew
Copy link
Member

Existing tfsec errors:

Results #1-2 CRITICAL Security group rule allows egress to multiple public internet addresses. (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  modules/bastion/main.tf:103
────────────────────────────────────────────────────────────────────────────────
   78    resource "aws_security_group" "sg" {
   ..  
  103  [       cidr_blocks = egress.value.cidr_blocks
  ...  
  107    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - modules/bastion/main.tf:78-107 (aws_security_group.sg[0]) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #3-6 CRITICAL Security group rule allows egress to multiple public internet addresses. (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/node_groups.tf:182
   via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints/main.tf:21-79 (module.aws_eks)
    via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/main.tf:18-265 (module.eks_blueprints)
     via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
  170    resource "aws_security_group_rule" "node" {
  ...  
  182  [   cidr_blocks      = try(each.value.cidr_blocks, null)
  ...  
  190    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/node_groups.tf:32-58 (module.eks) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #7 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/node_groups.tf:183
   via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints/main.tf:21-79 (module.aws_eks)
    via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/main.tf:18-265 (module.eks_blueprints)
     via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
  170    resource "aws_security_group_rule" "node" {
  ...  
  183  [   ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
  ...  
  190    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #8-9 CRITICAL Security group rule allows egress to multiple public internet addresses. (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/main.tf:103
   via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
   78    resource "aws_security_group" "sg" {
   ..  
  103  [       cidr_blocks = egress.value.cidr_blocks
  ...  
  107    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/main.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Network ACL rule allows access using ALL ports. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:674
   via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
  662    resource "aws_network_acl_rule" "public_inbound" {
  ...  
  674  [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"] ("-1")
  ...  
  677    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-excessive-port-access
      Impact All ports exposed for egressing data
  Resolution Set specific allowed ports

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Network ACL rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:675
   via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
  662    resource "aws_network_acl_rule" "public_inbound" {
  ...  
  675  [   cidr_block      = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null) ("0.0.0.0/0")
  ...  
  677    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-acl
      Impact The ports are exposed for ingressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ingress-acl/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block
────────────────────────────────────────────────────────────────────────────────


Result #12 CRITICAL Network ACL rule allows access using ALL ports. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:691
   via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
  679    resource "aws_network_acl_rule" "public_outbound" {
  ...  
  691  [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"] ("-1")
  ...  
  694    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-excessive-port-access
      Impact All ports exposed for egressing data
  Resolution Set specific allowed ports

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────


Result #13 CRITICAL Network ACL rule allows access using ALL ports. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:725
   via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
  713    resource "aws_network_acl_rule" "private_inbound" {
  ...  
  725  [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"] ("-1")
  ...  
  728    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-excessive-port-access
      Impact All ports exposed for egressing data
  Resolution Set specific allowed ports

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────


Result #14 CRITICAL Network ACL rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:726
   via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
  713    resource "aws_network_acl_rule" "private_inbound" {
  ...  
  726  [   cidr_block      = lookup(var.private_inbound_acl_rules[count.index], "cidr_block", null) ("0.0.0.0/0")
  ...  
  728    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-acl
      Impact The ports are exposed for ingressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ingress-acl/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block
────────────────────────────────────────────────────────────────────────────────


Result #15 CRITICAL Network ACL rule allows access using ALL ports. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:742
   via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
  730    resource "aws_network_acl_rule" "private_outbound" {
  ...  
  742  [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"] ("-1")
  ...  
  745    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-excessive-port-access
      Impact All ports exposed for egressing data
  Resolution Set specific allowed ports

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────


Result #16 CRITICAL Network ACL rule allows access using ALL ports. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:878
   via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
  866    resource "aws_network_acl_rule" "database_inbound" {
  ...  
  878  [   protocol        = var.database_inbound_acl_rules[count.index]["protocol"] ("-1")
  ...  
  881    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-excessive-port-access
      Impact All ports exposed for egressing data
  Resolution Set specific allowed ports

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────


Result #17 CRITICAL Network ACL rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:879
   via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
  866    resource "aws_network_acl_rule" "database_inbound" {
  ...  
  879  [   cidr_block      = lookup(var.database_inbound_acl_rules[count.index], "cidr_block", null) ("0.0.0.0/0")
  ...  
  881    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-acl
      Impact The ports are exposed for ingressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ingress-acl/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block
────────────────────────────────────────────────────────────────────────────────


Result #18 CRITICAL Network ACL rule allows access using ALL ports. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:895
   via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
  883    resource "aws_network_acl_rule" "database_outbound" {
  ...  
  895  [   protocol        = var.database_outbound_acl_rules[count.index]["protocol"] ("-1")
  ...  
  898    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-excessive-port-access
      Impact All ports exposed for egressing data
  Resolution Set specific allowed ports

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-excessive-port-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port
────────────────────────────────────────────────────────────────────────────────


Results #19-22 CRITICAL Security group rule allows egress to multiple public internet addresses. (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/node_groups.tf:182
   via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints/main.tf:21-79 (module.aws_eks)
    via modules/eks/main.tf:18-265 (module.eks_blueprints)
────────────────────────────────────────────────────────────────────────────────
  170    resource "aws_security_group_rule" "node" {
  ...  
  182  [   cidr_blocks      = try(each.value.cidr_blocks, null)
  ...  
  190    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/node_groups.tf:18-265 (module.eks_blueprints) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #23 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/node_groups.tf:183
   via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints/main.tf:21-79 (module.aws_eks)
    via modules/eks/main.tf:18-265 (module.eks_blueprints)
────────────────────────────────────────────────────────────────────────────────
  170    resource "aws_security_group_rule" "node" {
  ...  
  183  [   ipv6_cidr_blocks = try(each.value.ipv6_cidr_blocks, null)
  ...  
  190    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #24-25 HIGH IAM policy document uses sensitive action 's3:ListBucket' on wildcarded resource 'b8e4f5e8-7a78-4a7a-8be6-ee31337a2dee/*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  modules/bastion/iam.tf:181-198
────────────────────────────────────────────────────────────────────────────────
  179    resource "aws_iam_policy" "s3_readonly_policy" {
  180      name   = "${local.bucket_prefix}-s3-readonly"
  181  ┌   policy = <<EOF
  182  │ {
  183  │     "Version": "2012-10-17",
  184  │     "Statement": [
  185  │         {
  186  │             "Effect": "Allow",
  187  └             "Action": [
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - modules/bastion/iam.tf:179-199 (aws_iam_policy.s3_readonly_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #26-27 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'b8e4f5e8-7a78-4a7a-8be6-ee31337a2dee' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  modules/bastion/iam.tf:54-57
────────────────────────────────────────────────────────────────────────────────
   41    data "aws_iam_policy_document" "ssm_s3_cwl_access" {
   ..  
   54  ┌     resources = [
   55  │       aws_s3_bucket.session_logs_bucket.arn,
   56  │       "${aws_s3_bucket.session_logs_bucket.arn}/*",
   57  └     ]
   ..  
   99    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - modules/bastion/iam.tf:41-99 (data.aws_iam_policy_document.ssm_s3_cwl_access) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #28-29 HIGH IAM policy document uses sensitive action 'logs:PutLogEvents' on wildcarded resource '*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  modules/bastion/iam.tf:84
────────────────────────────────────────────────────────────────────────────────
   41    data "aws_iam_policy_document" "ssm_s3_cwl_access" {
   ..  
   84  [     resources = ["*"]
   ..  
   99    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - modules/bastion/iam.tf:41-99 (data.aws_iam_policy_document.ssm_s3_cwl_access) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #30 HIGH IAM policy document uses sensitive action 'autoscaling:CompleteLifecycleAction' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:29
   via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:188-196 (module.aws_node_termination_handler[0])
    via modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
────────────────────────────────────────────────────────────────────────────────
   19    data "aws_iam_policy_document" "irsa_policy" {
   ..  
   29  [     resources = ["*"]
   ..  
   31    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #31 HIGH IAM policy document uses sensitive action 'autoscaling:SetDesiredCapacity' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/cluster-autoscaler/main.tf:71
   via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:235-244 (module.cluster_autoscaler[0])
    via modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
────────────────────────────────────────────────────────────────────────────────
   52    data "aws_iam_policy_document" "cluster_autoscaler" {
   ..  
   71  [     resources = ["*"]
   ..  
   86    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #32-33 HIGH IAM policy document uses wildcarded action 's3:*Object' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  modules/s3-irsa/main.tf:49
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "irsa_policy" {
   ..  
   49  [     actions   = ["s3:*Object"]
   ..  
   73    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - modules/s3-irsa/main.tf:43-73 (data.aws_iam_policy_document.irsa_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #34-35 HIGH IAM policy document uses sensitive action 's3:*Object' on wildcarded resource '0fafd38f-b626-442d-9d4d-27dfe819b50b/*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  modules/s3-irsa/main.tf:50
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "irsa_policy" {
   ..  
   50  [     resources = ["${module.s3_bucket.s3_bucket_arn}/*"]
   ..  
   73    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - modules/s3-irsa/main.tf:43-73 (data.aws_iam_policy_document.irsa_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #36-38 HIGH IAM policy document uses sensitive action 'autoscaling:CompleteLifecycleAction' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:29
   via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:188-196 (module.aws_node_termination_handler[0])
    via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
     via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
   19    data "aws_iam_policy_document" "irsa_policy" {
   ..  
   29  [     resources = ["*"]
   ..  
   31    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:32-58 (module.eks)
  - git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/aws-node-termination-handler/data.tf:32-58 (module.eks) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #39 HIGH IAM policy document uses sensitive action 'autoscaling:SetDesiredCapacity' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/cluster-autoscaler/main.tf:71
   via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git/modules/kubernetes-addons?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints_kubernetes_addons/modules/kubernetes-addons/main.tf:235-244 (module.cluster_autoscaler[0])
    via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/eks-addons.tf:5-45 (module.eks_blueprints_kubernetes_addons)
     via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
   52    data "aws_iam_policy_document" "cluster_autoscaler" {
   ..  
   71  [     resources = ["*"]
   ..  
   86    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #40 HIGH Cluster does not have secret encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/terraform-aws-modules/eks/aws/main.tf:14-63
   via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks.eks_blueprints/main.tf:21-79 (module.aws_eks)
    via git::https:/github.com/defenseunicorns/iac.git/modules/eks?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/eks/modules/eks/main.tf:18-265 (module.eks_blueprints)
     via examples/complete-example/main.tf:32-58 (module.eks)
────────────────────────────────────────────────────────────────────────────────
   14  ┌ resource "aws_eks_cluster" "this" {
   15  │   count = local.create ? 1 : 0
   16  │ 
   17  │   name                      = var.cluster_name
   18  │   role_arn                  = local.cluster_role
   19  │   version                   = var.cluster_version
   20  │   enabled_cluster_log_types = var.cluster_enabled_log_types
   21  │ 
   22  └   vpc_config {
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-encrypt-secrets
      Impact EKS secrets could be read if compromised
  Resolution Enable encryption of EKS secrets

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/eks/encrypt-secrets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#encryption_config
────────────────────────────────────────────────────────────────────────────────


Results #41-42 HIGH IAM policy document uses sensitive action 's3:ListBucket' on wildcarded resource '97b1a0d8-17a8-4020-bd35-8e8cd69a7232/*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:181-198
   via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
  179    resource "aws_iam_policy" "s3_readonly_policy" {
  180      name   = "${local.bucket_prefix}-s3-readonly"
  181  ┌   policy = <<EOF
  182  │ {
  183  │     "Version": "2012-10-17",
  184  │     "Statement": [
  185  │         {
  186  │             "Effect": "Allow",
  187  └             "Action": [
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #43-44 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource '97b1a0d8-17a8-4020-bd35-8e8cd69a7232' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:54-57
   via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
   41    data "aws_iam_policy_document" "ssm_s3_cwl_access" {
   ..  
   54  ┌     resources = [
   55  │       aws_s3_bucket.session_logs_bucket.arn,
   56  │       "${aws_s3_bucket.session_logs_bucket.arn}/*",
   57  └     ]
   ..  
   99    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #45-46 HIGH IAM policy document uses sensitive action 'logs:PutLogEvents' on wildcarded resource '*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:84
   via examples/complete-example/main.tf:81-101 (module.bastion)
────────────────────────────────────────────────────────────────────────────────
   41    data "aws_iam_policy_document" "ssm_s3_cwl_access" {
   ..  
   84  [     resources = ["*"]
   ..  
   99    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - git::https:/github.com/defenseunicorns/iac.git/modules/bastion?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/bastion/modules/bastion/iam.tf:81-101 (module.bastion) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #47-49 HIGH Subnet associates public IP address. (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc.vpc/main.tf:366
   via git::https:/github.com/defenseunicorns/iac.git/modules/vpc?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc/modules/vpc/main.tf:14-81 (module.vpc)
    via examples/complete-example/main.tf:13-27 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
  359    resource "aws_subnet" "public" {
  ...  
  366  [   map_public_ip_on_launch         = var.map_public_ip_on_launch (true)
  ...  
  382    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc.vpc/main.tf:13-27 (module.vpc) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ip-subnet
      Impact The instance is publicly accessible
  Resolution Set the instance to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ip-subnet/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch
────────────────────────────────────────────────────────────────────────────────


Result #50 HIGH Subnet associates public IP address. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:366
   via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
  359    resource "aws_subnet" "public" {
  ...  
  366  [   map_public_ip_on_launch         = var.map_public_ip_on_launch (true)
  ...  
  382    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ip-subnet
      Impact The instance is publicly accessible
  Resolution Set the instance to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/no-public-ip-subnet/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch
────────────────────────────────────────────────────────────────────────────────


Result #51 HIGH Cluster does not have secret encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  terraform-aws-modules/eks/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints.aws_eks/main.tf:14-63
   via git::https:/github.com/aws-ia/terraform-aws-eks-blueprints.git?ref=v4.21.0/Users/andrewroth/src/github.com/defenseunicorns/iac/modules/eks/.terraform/modules/eks_blueprints/main.tf:21-79 (module.aws_eks)
    via modules/eks/main.tf:18-265 (module.eks_blueprints)
────────────────────────────────────────────────────────────────────────────────
   14  ┌ resource "aws_eks_cluster" "this" {
   15  │   count = local.create ? 1 : 0
   16  │ 
   17  │   name                      = var.cluster_name
   18  │   role_arn                  = local.cluster_role
   19  │   version                   = var.cluster_version
   20  │   enabled_cluster_log_types = var.cluster_enabled_log_types
   21  │ 
   22  └   vpc_config {
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-eks-encrypt-secrets
      Impact EKS secrets could be read if compromised
  Resolution Enable encryption of EKS secrets

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/eks/encrypt-secrets/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#encryption_config
────────────────────────────────────────────────────────────────────────────────


Result #52 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/modules/db_instance/main.tf:84
   via git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/main.tf:69-149 (module.db_instance)
    via modules/rds/main.tf:7-70 (module.db)
────────────────────────────────────────────────────────────────────────────────
   32    resource "aws_db_instance" "this" {
   ..  
   84  [   backup_retention_period = var.backup_retention_period (1)
  ...  
  130    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #53 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  ../../../../../../git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/modules/db_instance/main.tf:94
────────────────────────────────────────────────────────────────────────────────
  Failed to render code: failed to read file from result filesystem ("/var/folders/_d/70qj4sy15hv6tmp2vfpx1khh0000gn/T/.aqua/cache/82af53160b6dea8e02a86b95cf2a354f"): open /var/folders/_d/70qj4sy15hv6tmp2vfpx1khh0000gn/T/.aqua/cache/82af53160b6dea8e02a86b95cf2a354f/git::https:/github.com/terraform-aws-modules/terraform-aws-rds.git?ref=v5.2.3/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #54 MEDIUM VPC Flow Logs is not enabled for VPC  
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc.vpc/main.tf:20-43
   via git::https:/github.com/defenseunicorns/iac.git/modules/vpc?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/vpc/modules/vpc/main.tf:14-81 (module.vpc)
    via examples/complete-example/main.tf:13-27 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
   20  ┌ resource "aws_vpc" "this" {
   21  │   count = local.create_vpc ? 1 : 0
   22  │ 
   23  │   cidr_block          = var.use_ipam_pool ? null : var.cidr
   24  │   ipv4_ipam_pool_id   = var.ipv4_ipam_pool_id
   25  │   ipv4_netmask_length = var.ipv4_netmask_length
   26  │ 
   27  │   assign_generated_ipv6_cidr_block = var.enable_ipv6 && !var.use_ipam_pool ? true : null
   28  └   ipv6_cidr_block                  = var.ipv6_cidr
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-require-vpc-flow-logs-for-all-vpcs
      Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues.
  Resolution Enable flow logs for VPC

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/
────────────────────────────────────────────────────────────────────────────────


Result #55 MEDIUM VPC Flow Logs is not enabled for VPC  
────────────────────────────────────────────────────────────────────────────────
  git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v3.19.0/main.tf:20-43
   via modules/vpc/main.tf:14-81 (module.vpc)
────────────────────────────────────────────────────────────────────────────────
   20  ┌ resource "aws_vpc" "this" {
   21  │   count = local.create_vpc ? 1 : 0
   22  │ 
   23  │   cidr_block          = var.use_ipam_pool ? null : var.cidr
   24  │   ipv4_ipam_pool_id   = var.ipv4_ipam_pool_id
   25  │   ipv4_netmask_length = var.ipv4_netmask_length
   26  │ 
   27  │   assign_generated_ipv6_cidr_block = var.enable_ipv6 && !var.use_ipam_pool ? true : null
   28  └   ipv6_cidr_block                  = var.ipv6_cidr
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-require-vpc-flow-logs-for-all-vpcs
      Impact Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues.
  Resolution Enable flow logs for VPC

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/
────────────────────────────────────────────────────────────────────────────────


Result #56 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket.s3_bucket/main.tf:18-27
   via git::https:/github.com/defenseunicorns/iac.git/modules/s3-irsa?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket/modules/s3-irsa/main.tf:12-30 (module.s3_bucket)
    via examples/complete-example/main.tf:111-124 (module.loki_s3_bucket)
────────────────────────────────────────────────────────────────────────────────
   18    resource "aws_s3_bucket" "this" {
   19      count = local.create_bucket ? 1 : 0
   20    
   21      bucket        = var.bucket
   22      bucket_prefix = var.bucket_prefix
   23    
   24      force_destroy       = var.force_destroy
   25      object_lock_enabled = var.object_lock_enabled
   26      tags                = var.tags
   27    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #57 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket.s3_bucket/main.tf:18-27
   via git::https:/github.com/defenseunicorns/iac.git/modules/s3-irsa?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/complete-example/.terraform/modules/loki_s3_bucket/modules/s3-irsa/main.tf:12-30 (module.s3_bucket)
    via examples/complete-example/main.tf:111-124 (module.loki_s3_bucket)
────────────────────────────────────────────────────────────────────────────────
   18    resource "aws_s3_bucket" "this" {
   19      count = local.create_bucket ? 1 : 0
   20    
   21      bucket        = var.bucket
   22      bucket_prefix = var.bucket_prefix
   23    
   24      force_destroy       = var.force_destroy
   25      object_lock_enabled = var.object_lock_enabled
   26      tags                = var.tags
   27    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #58 MEDIUM Bucket does not have logging enabled 
────────────────────────────────────────────────────────────────────────────────
  terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend.s3_bucket/main.tf:18-27
   via git::https:/github.com/defenseunicorns/iac.git/modules/tfstate-backend?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend/modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
    via examples/tf-state-backend/main.tf:7-16 (module.tfstate_backend)
────────────────────────────────────────────────────────────────────────────────
   18    resource "aws_s3_bucket" "this" {
   19      count = local.create_bucket ? 1 : 0
   20    
   21      bucket        = var.bucket
   22      bucket_prefix = var.bucket_prefix
   23    
   24      force_destroy       = var.force_destroy
   25      object_lock_enabled = var.object_lock_enabled
   26      tags                = var.tags
   27    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Result #59 MEDIUM Bucket does not have versioning enabled 
────────────────────────────────────────────────────────────────────────────────
  terraform-aws-modules/s3-bucket/aws/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend.s3_bucket/main.tf:18-27
   via git::https:/github.com/defenseunicorns/iac.git/modules/tfstate-backend?ref=v0.0.0-alpha.2/Users/andrewroth/src/github.com/defenseunicorns/iac/examples/tf-state-backend/.terraform/modules/tfstate_backend/modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
    via examples/tf-state-backend/main.tf:7-16 (module.tfstate_backend)
────────────────────────────────────────────────────────────────────────────────
   18    resource "aws_s3_bucket" "this" {
   19      count = local.create_bucket ? 1 : 0
   20    
   21      bucket        = var.bucket
   22      bucket_prefix = var.bucket_prefix
   23    
   24      force_destroy       = var.force_destroy
   25      object_lock_enabled = var.object_lock_enabled
   26      tags                = var.tags
   27    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Results #60-61 MEDIUM Bucket does not have logging enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  terraform-aws-modules/s3-bucket/aws/main.tf:18-27
   via modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
   18    resource "aws_s3_bucket" "this" {
   19      count = local.create_bucket ? 1 : 0
   20    
   21      bucket        = var.bucket
   22      bucket_prefix = var.bucket_prefix
   23    
   24      force_destroy       = var.force_destroy
   25      object_lock_enabled = var.object_lock_enabled
   26      tags                = var.tags
   27    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - terraform-aws-modules/s3-bucket/aws/main.tf:31-49 (module.s3_bucket)
  - terraform-aws-modules/s3-bucket/aws/main.tf:12-30 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-bucket-logging
      Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-bucket-logging/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
────────────────────────────────────────────────────────────────────────────────


Results #62-63 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  terraform-aws-modules/s3-bucket/aws/main.tf:18-27
   via modules/tfstate-backend/main.tf:31-49 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
   18    resource "aws_s3_bucket" "this" {
   19      count = local.create_bucket ? 1 : 0
   20    
   21      bucket        = var.bucket
   22      bucket_prefix = var.bucket_prefix
   23    
   24      force_destroy       = var.force_destroy
   25      object_lock_enabled = var.object_lock_enabled
   26      tags                = var.tags
   27    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - terraform-aws-modules/s3-bucket/aws/main.tf:31-49 (module.s3_bucket)
  - terraform-aws-modules/s3-bucket/aws/main.tf:12-30 (module.s3_bucket)
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             17.05977ms
  parsing              2.772075126s
  adaptation           21.309777ms
  checks               97.643864ms
  total                2.908088537s

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    79
  blocks processed     4219
  files read           361

  results
  ──────────────────────────────────────────
  passed               426
  ignored              4
  critical             23
  high                 28
  medium               12
  low                  0

  426 passed, 4 ignored, 63 potential problem(s) detected.
@kirankt kirankt self-assigned this Feb 3, 2023
@kirankt kirankt mentioned this issue Feb 4, 2023
Closed
@RothAndrew
Copy link
Member Author

@kirankt what's the status of this?

@kirankt
Copy link

kirankt commented Mar 13, 2023

@

@kirankt what's the status of this?

I worked on it a bit but it is heavily outdated. I don't plan to work on it further. Please feel free to take over.

@kirankt kirankt removed their assignment Mar 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RothAndrew @kirankt