Conversation
![cas-cortex[bot]](https://avatars.githubusercontent.com/in/970505?s=60&v=4){kind=small}
| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA | ||
| # export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA |
There was a problem hiding this comment.
[Secret] AWS Access Key detected in code
Rule ID: APPSEC_SECRET_2
Description
AWS Access Keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Access keys consist of two parts: an access key ID (for example, `AKIAIOSFODNN7EXAMPLE`) and a secret access key (for example, `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`).
| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA | ||
| # export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA |
There was a problem hiding this comment.
[IaC] EC2 user data exposes secrets misconfiguration detected in code
Rule ID: APPSEC_AWS_46
Description
*User Data* is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code exposed to any entity which has the most basic access to EC2, even read-only configurations. This code is not encrypted. Removing secrets from easily-accessed unencrypted places reduces the risk of passwords, private keys and more from being exposed to third parties.Manual Fix
Resource: aws_instance * Argument: user_data In this case, the analysis has found a likely AWS secret being used in your user_data.
Remove these secrets, substitute with dynamic (i.e. Obtain from Vault) or use instance profiles.
resource "aws_instance" "web" {
...
instance_type = "t3.micro"
- user_data = "access_key=123456ABCDEFGHIJZTLA and secret_key=AAAaa+Aa4AAaAA6aAkA0Ad+Aa8aA1aaaAAAaAaA"
}| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA | ||
| # export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA |
There was a problem hiding this comment.
[IaC] AWS EC2 instance detailed monitoring disabled misconfiguration detected in code
Rule ID: APPSEC_AWS_126
Description
Enabling detailed monitoring for Amazon Elastic Compute Cloud (EC2) instances can provide you with additional data and insights about the performance and utilization of your instances. : Detailed monitoring can provide you with more data about the utilization of your instances, which can be helpful for capacity planning and optimization.Manual Fix
Resource: aws_instance * Arguments: monitoring
resource "aws_instance" "test" {
+ monitoring = true
}| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA | ||
| # export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA |
There was a problem hiding this comment.
[IaC] EC2 EBS is not optimized misconfiguration detected in code
Rule ID: APPSEC_AWS_135
Description
Ensuring that EC2 instances are EBS-optimized will help to deliver enhanced performance for EBS workloads. They provide dedicated throughput to Amazon Elastic Block Store (EBS) volumes, which can result in improved EBS performance. Additionally, EBS-optimized instances use a separate network connection for EBS traffic, which can reduce network latency and improve the performance of EBS-intensive workloads.Manual Fix
Resource: aws_instance * Arguments: ebs_optimized
resource "aws_instance" "foo" {
...
+ ebs_optimized = true
}| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA | ||
| # export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA |
There was a problem hiding this comment.
[IaC] AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2) misconfiguration detected in code
Rule ID: APPSEC_AWS_79
Description
The Instance Metadata Service (IMDS) is an on-instance component used by code on the instance to securely access instance metadata.You can access instance metadata from a running instance using one of the following methods:
- Instance Metadata Service Version 1 (IMDSv1) -- a request/response method
- Instance Metadata Service Version 2 (IMDSv2) -- a session-oriented method
As a request/response method IMDSv1 is prone to local misconfigurations:
- Open proxies, open NATs and routers, server-side reflection vulnerabilities.
- One way or another, local software might access local-only data.
Manual Fix
Resource: aws_instance * Arguments: http_tokens - (Optional) Whether or not the metadata service requires session tokens, the mechanism used for Instance Metadata Service Version 2.
Can be "optional" or "required".
(Default: "optional").
Set to "required" to enable Instance Metadata Service V2.
Alternatively, disable the metadata service altogether by setting http_endpoint = "disabled".
If setting http_tokens = "required" in a launch template that is being used for a EKS worker/node group, you should consider setting the http_put_response_hop_limit = 2 per the default behavior in EKS.
Without this setting the default service account in EKS will not be able to access the instance metadata service.
resource "aws_instance" "example" {
...
instance_type = "t2.micro"
+ metadata_options {
...
+ http_endpoint = "enabled"
+ http_tokens = "required"
+ }
...
}| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA | ||
| # export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA |
There was a problem hiding this comment.
[IaC] AWS EC2 Auto Scaling Launch Configuration is not using encrypted EBS volumes misconfiguration detected in code
Rule ID: APPSEC_AWS_8
Description
Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling. When the entire EBS volume is encrypted, data stored at rest on the volume, disk I/O, snapshots created from the volume, and data in-transit between EBS and EC2 are all encrypted.Manual Fix
Resource: aws_launch_configuration * Attribute: encrypted - (Optional) Whether the volume should be encrypted or not. Do not use this option if you are using snapshot_id as the encrypted flag will be determined by the snapshot. (Default: false).
resource "aws_launch_configuration" "example" {
...
instance_type = "t2.micro"
+ root_block_device {
+ encrypted = true
+ }
...
}| sudo systemctl start apache2 | ||
| sudo systemctl enable apache2 | ||
| export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA | ||
| # export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA |
There was a problem hiding this comment.
[IaC] AWS EC2 Instance IAM Role not enabled misconfiguration detected in code
Rule ID: APPSEC2_AWS_41
Description
AWS provides Identity Access Management (IAM) roles to securely access AWS services and resources. The role is an identity with permission policies that define what the identity can and cannot do in AWS. As a best practice, create IAM roles and attach the role to manage EC2 instance permissions securely instead of distributing or sharing keys or passwordsManual Fix
Resource: aws_instance * Arguments: iam_instance_profile
resource "aws_instance" "pass" { ami = "ami-005e54dee72cc1d00" # us-west-2 instance_type = "t2.micro" iam_instance_profile = "test"network_interface {
network_interface_id = aws_network_interface.foo.id
device_index = 0
}
credit_specification {
cpu_credits = "unlimited"
}
}
1 participant
No description provided.