Skip to content

Instantly share code, notes, and snippets.

@danquack
Last active Jan 5, 2021
Embed
What would you like to do?
Infrastructure Testing
~ docker run -t -v $PWD:/tf bridgecrew/checkov -d /tf
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 1.0.684
terraform scan results:
Passed checks: 4, Failed checks: 4, Skipped checks: 0
Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access."
PASSED for resource: aws_s3_bucket.b
File: /bucket.tf:1-4
Guide: https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone
Check: CKV_AWS_57: "S3 Bucket has an ACL defined which allows public WRITE access."
PASSED for resource: aws_s3_bucket.b
File: /bucket.tf:1-4
Guide: https://docs.bridgecrew.io/docs/s3_2-acl-write-permissions-everyone
Check: CKV_AWS_70: "Ensure S3 bucket does not allow an action with any Principal"
PASSED for resource: aws_s3_bucket.b
File: /bucket.tf:1-4
Guide: https://docs.bridgecrew.io/docs/bc_aws_s3_23
Check: CKV_AWS_93: "Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)"
PASSED for resource: aws_s3_bucket.b
File: /bucket.tf:1-4
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.b
File: /bucket.tf:1-4
Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "tf-test-bucket"
3 | acl = "private"
4 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.b
File: /bucket.tf:1-4
Guide: https://docs.bridgecrew.io/docs/s3_13-enable-logging
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "tf-test-bucket"
3 | acl = "private"
4 | }
Check: CKV_AWS_52: "Ensure S3 bucket has MFA delete enabled"
FAILED for resource: aws_s3_bucket.b
File: /bucket.tf:1-4
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "tf-test-bucket"
3 | acl = "private"
4 | }
Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
FAILED for resource: aws_s3_bucket.b
File: /bucket.tf:1-4
Guide: https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "tf-test-bucket"
3 | acl = "private"
4 | }
~ clair-scanner -w example-webgoat.yml --ip 192.168.4.74 webgoat/webgoat-8.0:latest
2021/01/04 23:20:25 [INFO] ▶ Start clair-scanner
2021/01/04 23:20:48 [INFO] ▶ Server listening on port 9279
...
2021/01/04 23:21:13 [ERRO] ▶ Image [webgoat/webgoat-8.0:latest] contains 183 unapproved vulnerabilities
+------------+-----------------------------+---------------+-----------------------+--------------------------------------------------------------+
| STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
+------------+-----------------------------+---------------+-----------------------+--------------------------------------------------------------+
| Unapproved | Critical CVE-2019-17006 | nss | 2:3.26.2-1.1+deb9u1 | In Network Security Services (NSS) before 3.46, |
| | | | | several cryptographic primitives had missing length |
| | | | | checks. In cases where the application calling the |
| | | | | library did not perform a sanity check on the inputs |
| | | | | it could result in a crash due to a buffer overflow. |
...
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sexternalips
spec:
crd:
spec:
names:
kind: K8sExternalIPs
validation:
openAPIV3Schema:
properties:
allowedIPs:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sexternalips
violation[{"msg": msg}] {
input.review.kind.kind == "Service"
input.review.kind.group == ""
allowedIPs := {ip | ip := input.parameters.allowedIPs[_]}
externalIPs := {ip | ip := input.review.object.spec.externalIPs[_]}
forbiddenIPs := externalIPs - allowedIPs
count(forbiddenIPs) > 0
msg := sprintf("service has forbidden external IPs: %v", [forbiddenIPs])
}
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sExternalIPs
metadata:
name: k8sexternalip
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Service"]
describe aws_s3_bucket(bucket_name: 'tf-test-bucket') do
it { should exist }
it { should_not be_public }
it { should have_default_encryption_enabled }
it { have_secure_transport_enabled }
end
resource "aws_s3_bucket" "b" {
bucket = "tf-test-bucket"
acl = "private"
}
package test
import (
"testing"
"github.com/gruntwork-io/terratest/modules/terraform"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/service/s3"
"github.com/stretchr/testify/assert"
)
func TestTerraformTestS3(t *testing.T) {
// retryable errors in terraform testing.
terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
TerraformDir: "./tftest",
})
defer terraform.Destroy(t, terraformOptions)
terraform.InitAndApply(t, terraformOptions)
output := terraform.Output(t, terraformOptions, "role_arn")
bucket := terraform.Output(t, terraformOptions, "bucket")
// Assume role
sess := session.Must(session.NewSession(&aws.Config{Region: aws.String("us-east-1")}))
stscreds.NewCredentials(sess, output)
svc := s3.New(sess)
// List Objects
_, err := svc.ListObjectsV2(&s3.ListObjectsV2Input{Bucket: aws.String(bucket)})
assert.Nil(t, err)
}
data "aws_caller_identity" "current" {}
resource "aws_s3_bucket" "b" {
bucket = "tf-test-bucket"
acl = "private"
}
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
},
"Effect": "Allow"
}
]
}
EOF
}
data "aws_iam_policy_document" "test_policy" {
statement {
actions = [
"s3:ListBucket",
]
resources = [
aws_s3_bucket.b.arn,
]
}
}
resource "aws_iam_policy" "test_policy" {
name = "test_policy"
path = "/"
policy = data.aws_iam_policy_document.test_policy.json
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.test_role.name
policy_arn = aws_iam_policy.test_policy.arn
}
output "role_arn" {
value = aws_iam_role.test_role.arn
}
output "bucket" {
value = aws_s3_bucket.b.id
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment