+{"kics_version":"v1.5.12","total_counter":6,"queries":[{"query_name":"ALB Listening on HTTP","query_id":"de7f5e83-da88-4046-871f-ea18504b1d43","severity":"HIGH","platform":"Terraform","category":"Networking and Firewall","description":"AWS Application Load Balancer (alb) should not listen on HTTP","query_url":"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener","files":[{"file_name":"../../path/positive1.tf","similarity_id":"b42a19486a8e18324a9b2c06147b1c49feb3ba39a0e4aeafec5665e60f98d047","line":9,"issue_type":"IncorrectValue","search_key":"aws_lb_listener[listener5].default_action.redirect.protocol","search_line":0,"search_value":"","expected_value":"'default_action.redirect.protocol' is equal to 'HTTPS'","actual_value":"'default_action.redirect.protocol' is equal 'HTTP'","remediation":"{\"after\":\"HTTPS\",\"before\":\"HTTP\"}","remediation_type":"replacement"}]},{"query_name":"ALB Not Dropping Invalid Headers","query_id":"6e3fd2ed-5c83-4c68-9679-7700d224d379","severity":"MEDIUM","platform":"Terraform","category":"Best Practices","description":"It's considered a best practice when using Application Load Balancers to drop invalid header fields","query_url":"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields","files":[{"file_name":"../../path/positive1.tf","similarity_id":"9574288c118e8c87eea31b6f0b011295a39ec5e70d83fb70e839b8db4a99eba8","line":15,"issue_type":"MissingAttribute","search_key":"aws_lb[{{test3}}]","search_line":0,"search_value":"","expected_value":"aws_lb[{{test3}}].drop_invalid_header_fields is set to true","actual_value":"aws_lb[{{test3}}].drop_invalid_header_fields is missing","remediation":"drop_invalid_header_fields = true","remediation_type":"addition"}]},{"query_name":"ALB Deletion Protection Disabled","query_id":"afecd1f1-6378-4f7e-bb3b-60c35801fdd4","severity":"LOW","platform":"Terraform","category":"Insecure Configurations","description":"Application Load Balancer should have deletion protection enabled","query_url":"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#enable_deletion_protection","files":[{"file_name":"../../path/positive1.tf","similarity_id":"cc22618d82eee56de73a07a558bf689f2efe1ddc42393323d14f77b0c37c29a8","line":15,"issue_type":"MissingAttribute","search_key":"aws_lb[test3]","search_line":0,"search_value":"","expected_value":"'enable_deletion_protection' is defined and set to true","actual_value":"'enable_deletion_protection' is undefined or null","remediation":"enable_deletion_protection = true","remediation_type":"addition"}]},{"query_name":"IAM Access Analyzer Not Enabled","query_id":"e592a0c5-5bdb-414c-9066-5dba7cdea370","severity":"LOW","platform":"Terraform","category":"Best Practices","description":"IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions","query_url":"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer","files":[{"file_name":"../../path/positive1.tf","similarity_id":"23486f3c10caaa350ec4e2a26d49de0969a585e7df6ec7814fe44466c8e1ff9e","line":1,"issue_type":"MissingAttribute","search_key":"resource","search_line":0,"search_value":"","expected_value":"'aws_accessanalyzer_analyzer' is set","actual_value":"'aws_accessanalyzer_analyzer' is undefined","remediation":"","remediation_type":""}]},{"query_name":"Shield Advanced Not In Use","query_id":"084c6686-2a70-4710-91b1-000393e54c12","severity":"LOW","platform":"Terraform","category":"Networking and Firewall","description":"AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks","query_url":"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/shield_protection#resource_arn","files":[{"file_name":"../../path/positive1.tf","similarity_id":"069aa314d2934c4c50746ec0045e0802e3c6f8f803ea5528c60d92917cc4d318","line":15,"issue_type":"MissingAttribute","search_key":"aws_lb[test3]","search_line":0,"search_value":"","expected_value":"aws_lb has shield advanced associated","actual_value":"aws_lb does not have shield advanced associated","remediation":"","remediation_type":""}]},{"query_name":"Resource Not Using Tags","query_id":"e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10","severity":"INFO","platform":"Terraform","category":"Best Practices","description":"AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'","query_url":"https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging","files":[{"file_name":"../../path/positive1.tf","similarity_id":"e9119956188af27eb6b095cf0fadbf0d784270d9238e4650390e3b3d9a9756f5","line":15,"issue_type":"MissingAttribute","search_key":"aws_lb[{{test3}}]","search_line":0,"search_value":"","expected_value":"aws_lb[{{test3}}].tags is defined and not null","actual_value":"aws_lb[{{test3}}].tags is undefined or null","remediation":"","remediation_type":""}]}],"severity_counters":{"HIGH":1,"INFO":1,"LOW":3,"MEDIUM":1}}
0 commit comments