Conversation
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| } | ||
| } | ||
|
|
||
| resource storageAccount 'Microsoft.Storage/storageAccounts@2021-01-01' = { |
There was a problem hiding this comment.
Azure Storage Account Doesn't Enforce HTTPS Traffic Only
Resource: Microsoft.Storage/storageAccounts.storageAccount | Checkov ID: CKV_AZURE_3
Description
Azure Storage Accounts provide the capability to store a variety of data types, including blobs, files, queues, tables, and disks. Ensuring the secure transport of this data is crucial to prevent potential eavesdropping and man-in-the-middle attacks.
This policy ensures that the 'supportsHttpsTrafficOnly' property for Azure Storage Accounts is set to 'true'. By setting this property to 'true', only HTTPS traffic is allowed to the storage service. Notably, since the API version 2019-04-01, the default value for 'supportsHttpsTrafficOnly' has been set to 'true'. However, it's important to verify this for Storage Accounts, especially those created before this API version.
HTTPS ensures that the data between the client and server is encrypted, adding a layer of security for data in transit.
| @@ -0,0 +1,34 @@ | |||
| resource "aws_instance" "web_host" { | |||
There was a problem hiding this comment.
EC2 user data exposes secrets
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_46
How to Fix
resource "aws_instance" "web" {
...
instance_type = "t3.micro"
- user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
}Description
User Data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched.
It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations.
This code is not encrypted.
Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.
| sudo apt-get install -y apache2 | ||
| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA |
There was a problem hiding this comment.
AWS Access Key detected in code (Invalid)
Resource: fc3f784491eba6121c3bfcc1652a2c57d27b16cb | Checkov ID: CKV_SECRET_2
Description
AWS Access Keys are long-term credentials for an IAM user or the AWS account root user.
You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
| }, { | ||
| yor_name = "web_host" | ||
| }) | ||
| } |
There was a problem hiding this comment.
AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2)
Resource: aws_instance.web_host | Checkov ID: CKV_AWS_79
Description
The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata.
You can access instance metadata from a running instance using one of the following methods:
- Instance Metadata Service Version 1 (IMDSv1) -- a request/response method
- Instance Metadata Service Version 2 (IMDSv2) -- a session-oriented method
As a request/response method IMDSv1 is prone to local misconfigurations:
- Open proxies, open NATs and routers, server-side reflection vulnerabilities.
- One way or another, local software might access local-only data.
Co-authored-by: prisma-cloud-devsecops[bot] <89982750+prisma-cloud-devsecops[bot]@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
checkov found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
1 participant
No description provided.