Last active
January 5, 2021 04:37
-
-
Save danquack/bd1d92e2ed6ecae08f04359e2d024091 to your computer and use it in GitHub Desktop.
Infrastructure Testing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ~ docker run -t -v $PWD:/tf bridgecrew/checkov -d /tf | |
| ___| |__ ___ ___| | _______ __ | |
| / __| '_ \ / _ \/ __| |/ / _ \ \ / / | |
| | (__| | | | __/ (__| < (_) \ V / | |
| \___|_| |_|\___|\___|_|\_\___/ \_/ | |
| By bridgecrew.io | version: 1.0.684 | |
| terraform scan results: | |
| Passed checks: 4, Failed checks: 4, Skipped checks: 0 | |
| Check: CKV_AWS_20: "S3 Bucket has an ACL defined which allows public READ access." | |
| PASSED for resource: aws_s3_bucket.b | |
| File: /bucket.tf:1-4 | |
| Guide: https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone | |
| Check: CKV_AWS_57: "S3 Bucket has an ACL defined which allows public WRITE access." | |
| PASSED for resource: aws_s3_bucket.b | |
| File: /bucket.tf:1-4 | |
| Guide: https://docs.bridgecrew.io/docs/s3_2-acl-write-permissions-everyone | |
| Check: CKV_AWS_70: "Ensure S3 bucket does not allow an action with any Principal" | |
| PASSED for resource: aws_s3_bucket.b | |
| File: /bucket.tf:1-4 | |
| Guide: https://docs.bridgecrew.io/docs/bc_aws_s3_23 | |
| Check: CKV_AWS_93: "Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)" | |
| PASSED for resource: aws_s3_bucket.b | |
| File: /bucket.tf:1-4 | |
| Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled" | |
| FAILED for resource: aws_s3_bucket.b | |
| File: /bucket.tf:1-4 | |
| Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning | |
| 1 | resource "aws_s3_bucket" "b" { | |
| 2 | bucket = "tf-test-bucket" | |
| 3 | acl = "private" | |
| 4 | } | |
| Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled" | |
| FAILED for resource: aws_s3_bucket.b | |
| File: /bucket.tf:1-4 | |
| Guide: https://docs.bridgecrew.io/docs/s3_13-enable-logging | |
| 1 | resource "aws_s3_bucket" "b" { | |
| 2 | bucket = "tf-test-bucket" | |
| 3 | acl = "private" | |
| 4 | } | |
| Check: CKV_AWS_52: "Ensure S3 bucket has MFA delete enabled" | |
| FAILED for resource: aws_s3_bucket.b | |
| File: /bucket.tf:1-4 | |
| 1 | resource "aws_s3_bucket" "b" { | |
| 2 | bucket = "tf-test-bucket" | |
| 3 | acl = "private" | |
| 4 | } | |
| Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest" | |
| FAILED for resource: aws_s3_bucket.b | |
| File: /bucket.tf:1-4 | |
| Guide: https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest | |
| 1 | resource "aws_s3_bucket" "b" { | |
| 2 | bucket = "tf-test-bucket" | |
| 3 | acl = "private" | |
| 4 | } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ~ clair-scanner -w example-webgoat.yml --ip 192.168.4.74 webgoat/webgoat-8.0:latest | |
| 2021/01/04 23:20:25 [INFO] ▶ Start clair-scanner | |
| 2021/01/04 23:20:48 [INFO] ▶ Server listening on port 9279 | |
| ... | |
| 2021/01/04 23:21:13 [ERRO] ▶ Image [webgoat/webgoat-8.0:latest] contains 183 unapproved vulnerabilities | |
| +------------+-----------------------------+---------------+-----------------------+--------------------------------------------------------------+ | |
| | STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION | | |
| +------------+-----------------------------+---------------+-----------------------+--------------------------------------------------------------+ | |
| | Unapproved | Critical CVE-2019-17006 | nss | 2:3.26.2-1.1+deb9u1 | In Network Security Services (NSS) before 3.46, | | |
| | | | | | several cryptographic primitives had missing length | | |
| | | | | | checks. In cases where the application calling the | | |
| | | | | | library did not perform a sanity check on the inputs | | |
| | | | | | it could result in a crash due to a buffer overflow. | | |
| ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: templates.gatekeeper.sh/v1beta1 | |
| kind: ConstraintTemplate | |
| metadata: | |
| name: k8sexternalips | |
| spec: | |
| crd: | |
| spec: | |
| names: | |
| kind: K8sExternalIPs | |
| validation: | |
| openAPIV3Schema: | |
| properties: | |
| allowedIPs: | |
| type: array | |
| items: | |
| type: string | |
| targets: | |
| - target: admission.k8s.gatekeeper.sh | |
| rego: | | |
| package k8sexternalips | |
| violation[{"msg": msg}] { | |
| input.review.kind.kind == "Service" | |
| input.review.kind.group == "" | |
| allowedIPs := {ip | ip := input.parameters.allowedIPs[_]} | |
| externalIPs := {ip | ip := input.review.object.spec.externalIPs[_]} | |
| forbiddenIPs := externalIPs - allowedIPs | |
| count(forbiddenIPs) > 0 | |
| msg := sprintf("service has forbidden external IPs: %v", [forbiddenIPs]) | |
| } | |
| --- | |
| apiVersion: constraints.gatekeeper.sh/v1beta1 | |
| kind: K8sExternalIPs | |
| metadata: | |
| name: k8sexternalip | |
| spec: | |
| match: | |
| kinds: | |
| - apiGroups: [""] | |
| kinds: ["Service"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| describe aws_s3_bucket(bucket_name: 'tf-test-bucket') do | |
| it { should exist } | |
| it { should_not be_public } | |
| it { should have_default_encryption_enabled } | |
| it { have_secure_transport_enabled } | |
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "aws_s3_bucket" "b" { | |
| bucket = "tf-test-bucket" | |
| acl = "private" | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package test | |
| import ( | |
| "testing" | |
| "github.com/gruntwork-io/terratest/modules/terraform" | |
| "github.com/aws/aws-sdk-go/aws" | |
| "github.com/aws/aws-sdk-go/aws/session" | |
| "github.com/aws/aws-sdk-go/aws/credentials/stscreds" | |
| "github.com/aws/aws-sdk-go/service/s3" | |
| "github.com/stretchr/testify/assert" | |
| ) | |
| func TestTerraformTestS3(t *testing.T) { | |
| // retryable errors in terraform testing. | |
| terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ | |
| TerraformDir: "./tftest", | |
| }) | |
| defer terraform.Destroy(t, terraformOptions) | |
| terraform.InitAndApply(t, terraformOptions) | |
| output := terraform.Output(t, terraformOptions, "role_arn") | |
| bucket := terraform.Output(t, terraformOptions, "bucket") | |
| // Assume role | |
| sess := session.Must(session.NewSession(&aws.Config{Region: aws.String("us-east-1")})) | |
| stscreds.NewCredentials(sess, output) | |
| svc := s3.New(sess) | |
| // List Objects | |
| _, err := svc.ListObjectsV2(&s3.ListObjectsV2Input{Bucket: aws.String(bucket)}) | |
| assert.Nil(t, err) | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| data "aws_caller_identity" "current" {} | |
| resource "aws_s3_bucket" "b" { | |
| bucket = "tf-test-bucket" | |
| acl = "private" | |
| } | |
| resource "aws_iam_role" "test_role" { | |
| name = "test_role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" | |
| }, | |
| "Effect": "Allow" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| data "aws_iam_policy_document" "test_policy" { | |
| statement { | |
| actions = [ | |
| "s3:ListBucket", | |
| ] | |
| resources = [ | |
| aws_s3_bucket.b.arn, | |
| ] | |
| } | |
| } | |
| resource "aws_iam_policy" "test_policy" { | |
| name = "test_policy" | |
| path = "/" | |
| policy = data.aws_iam_policy_document.test_policy.json | |
| } | |
| resource "aws_iam_role_policy_attachment" "test-attach" { | |
| role = aws_iam_role.test_role.name | |
| policy_arn = aws_iam_policy.test_policy.arn | |
| } | |
| output "role_arn" { | |
| value = aws_iam_role.test_role.arn | |
| } | |
| output "bucket" { | |
| value = aws_s3_bucket.b.id | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment