Skip to content

feat(terraform): 7 new policies #7056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

feat(terraform): 7 new policies #7056

wants to merge 21 commits into from

Conversation

TomerSegev241
Copy link
Collaborator

@TomerSegev241 TomerSegev241 commented Mar 17, 2025
edited by baz-reviewer bot
Loading

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue)

New/Edited policies (Delete if not relevant)

Description

Include a description of what makes it a violation and any relevant external links.

Fix

How does someone fix the issue in code and/or in runtime?

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

TopicDetails
Unit Testing Adds comprehensive unit tests for each new AWS security policy, ensuring proper functionality and integration with the Checkov framework
Modified files (7)
  • tests/terraform/checks/resource/aws/test_S3BucketPubliclyReadableViaACL.py
  • tests/terraform/checks/resource/aws/test_AutoScalingGroupWithPublicAccess.py
  • tests/terraform/checks/resource/aws/test_RedshiftClusterWithCommonUsernameAndPublicAccess.py
  • tests/terraform/checks/resource/aws/test_EMRPubliclyAccessible.py
  • tests/terraform/checks/resource/aws/test_UnpatchedAuroraPostgresDB.py
  • tests/terraform/checks/resource/aws/test_S3AccessPointPubliclyAccessible.py
  • tests/terraform/checks/resource/aws/test_WAFv2VulnerableForLog4j.py
Latest Contributors(0)
UserCommitDate
AWS Security Policies Implements 7 new security policies for AWS resources, addressing various security concerns including public access, vulnerable configurations, and common misconfigurations
Modified files (7)
  • checkov/terraform/checks/resource/aws/S3BucketPubliclyReadableViaACL.py
  • checkov/terraform/checks/resource/aws/AutoScalingGroupWithPublicAccess.py
  • checkov/terraform/checks/resource/aws/RedshiftClusterWithCommonUsernameAndPublicAccess.py
  • checkov/terraform/checks/resource/aws/EMRPubliclyAccessible.py
  • checkov/terraform/checks/resource/aws/UnpatchedAuroraPostgresDB.py
  • checkov/terraform/checks/resource/aws/S3AccessPointPubliclyAccessible.py
  • checkov/terraform/checks/resource/aws/WAFv2VulnerableForLog4j.py
Latest Contributors(0)
UserCommitDate
Module Integration Updates the __init__.py file to integrate the new security policies into the Checkov framework, ensuring they are properly loaded and executed during scans
Modified files (1)
  • __init__.py
Latest Contributors(0)
UserCommitDate
Test Resources Provides example Terraform configurations for each new policy, demonstrating both compliant and non-compliant scenarios to facilitate accurate testing and user understanding
Modified files (7)
  • tests/terraform/checks/resource/aws/example_S3BucketPubliclyReadableViaACL/main.tf
  • tests/terraform/checks/resource/aws/example_AutoScalingGroupWithPublicAccess/main.tf
  • tests/terraform/checks/resource/aws/example_WAFv2VulnerableForLog4j/main.tf
  • tests/terraform/checks/resource/aws/example_UnpatchedAuroraPostgresDB/main.tf
  • tests/terraform/checks/resource/aws/example_EMRPubliclyAccessible/main.tf
  • tests/terraform/checks/resource/aws/example_RedshiftClusterWithCommonUsernameAndPublicAccess/main.tf
  • tests/terraform/checks/resource/aws/example_S3AccessPointPubliclyAccessible/main.tf
Latest Contributors(0)
UserCommitDate
 This pull request is reviewed by Baz. Join @TomerSegev241 and the rest of your team on (Baz).

@TomerSegev241 TomerSegev241 changed the title 7 new policies feat(terraform): 7 new policies Mar 17, 2025
tsmithv11
tsmithv11 requested changes Mar 22, 2025
View reviewed changes
Copy link
Collaborator

@tsmithv11 tsmithv11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! Left some comments. Also:

  1. Please add in the description the CKV ID to Prisma Cloud ID mapping
  2. Make sure the tests pass
  3. Add evaluated_keys or get_evaluated_keys

checkov/terraform/checks/resource/aws/EMRPubliclyAccessible.py Outdated
Comment on lines 15 to 21
def scan_resource_conf(self, conf):
if 'block_public_access' in conf:
for arg in list(conf['block_public_access'][0].keys()):
if arg in ['block_public_acls', 'ignore_public_acls', 'restrict_public_buckets']:
if str(conf['block_public_access'][0][arg][0]).lower() == 'false':
return CheckResult.FAILED
return CheckResult.PASSED
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These attributes don't exist. You want to check if block_public_security_group_rules is true (BaseResourceValueCheck)

checkov/terraform/checks/resource/aws/RedshiftClusterWithCommonUsernameAndPublicAccess.py
Comment on lines +18 to +20
if 'publicly_accessible' in conf:
if str(conf['publicly_accessible'][0]).lower() == 'true':
return CheckResult.FAILED
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Default publicly_accessible is true, so also check for the absence of the attribute

checkov/terraform/checks/resource/aws/S3BucketPubliclyReadableViaACL.py Outdated
Comment on lines 15 to 19
def scan_resource_conf(self, conf):
if 'acl' in conf:
if conf['acl'][0] == 'public-read':
return CheckResult.FAILED
return CheckResult.PASSED
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is like CKV_AWS_20 but less complete and different than what 630d3779-d932-4fbf-9cce-6e8d793c6916 is looking for

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see what you mean, do you think that this is more accurate? (setting block_public_policy to false)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to check that the S3 has the pbulic access block, and check if there is a aws_s3_account_public_access_block and check if there is a aws_s3_bucket_website_configuration attached. It would look closer to this: https://github.com/bridgecrewio/checkov/blob/66988745cf9b93c449e3693219c5679e3be19a32/checkov/terraform/checks/resource/aws/S3SecureDataTransport.py

@TomerSegev241
update due to Taylor comments
756672e
@TomerSegev241
Merge remote-tracking branch 'origin/feat(terraform)-medium-policies-…
6748fe6 
…from-CSPM' into feat(terraform)-medium-policies-from-CSPM

# Conflicts:
#	checkov/terraform/checks/resource/aws/EMRPubliclyAccessible.py
#	checkov/terraform/checks/resource/aws/RedshiftClusterWithCommonUsernameAndPublicAccess.py
#	checkov/terraform/checks/resource/aws/S3BucketPubliclyReadableViaACL.py
#	checkov/terraform/checks/resource/aws/WAFv2VulnerableForLog4j.py
@TomerSegev241
Merge remote-tracking branch 'origin/feat(terraform)-medium-policies-…
028ec9e 
…from-CSPM' into feat(terraform)-medium-policies-from-CSPM
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsmithv11 tsmithv11 tsmithv11 requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TomerSegev241 @tsmithv11