fix(misconf): false positive AVD-AWS-0131 #5099

nikpivkin · 2023-09-01T14:19:48Z

Source: https://github.com/aquasecurity/tfsec/issues/1906

Terraform config:

{
  "resource": {
    "aws_instance": {
      "jumpbox": {
        "ami": "ami-default",
        "instance_type": "t3a.small",
        "monitoring": true,
        "network_interface": {
          "device_index": 0,
          "network_interface_id": "aws_network_interface.projectname-jumpbox"
        },
        "root_block_device": {
          "delete_on_termination": false,
          "encrypted": true,
          "volume_size": 30,
          "volume_type": "gp2"
        }
      }
    }
  }
}

Trivy output:

docker run --rm -it -v .:/workspace  ghcr.io/aquasecurity/trivy:canary conf /workspace -d
2023-09-01T14:16:41.354Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-01T14:16:41.357Z        DEBUG   cache dir:  /root/.cache/trivy
2023-09-01T14:16:41.357Z        INFO    Misconfiguration scanning is enabled
2023-09-01T14:16:41.357Z        DEBUG   Failed to open the policy metadata: open /root/.cache/trivy/policy/metadata.json: no such file or directory
2023-09-01T14:16:41.357Z        INFO    Need to update the built-in policies
2023-09-01T14:16:41.357Z        INFO    Downloading the built-in policies...
2023-09-01T14:16:41.357Z        DEBUG   Using URL: ghcr.io/aquasecurity/defsec:0 to load policy bundle
44.37 KiB / 44.37 KiB [----------------------------------------------------------------------------------------------------------] 100.00% 6.20 MiB p/s 200ms
2023-09-01T14:16:44.069Z        DEBUG   Digest of the built-in policies: sha256:fd5f1ce3d8efb1fe158cb41f9adb9d7c7cc5c4c863b261053c962e6d950350b3
2023-09-01T14:16:44.069Z        DEBUG   Policies successfully loaded from disk
2023-09-01T14:16:44.087Z        DEBUG   Walk the file tree rooted at '/workspace' in parallel
2023-09-01T14:16:44.089Z        DEBUG   Scanning Terraform files for misconfigurations...
2023-09-01T14:16:44.451Z        DEBUG   OS is not detected.
2023-09-01T14:16:44.451Z        INFO    Detected config files: 2
2023-09-01T14:16:44.451Z        DEBUG   Scanned config file: .
2023-09-01T14:16:44.451Z        DEBUG   Scanned config file: main.tf.json

main.tf.json (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf.json:4-10
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   4 ┌       "jumpbox": {
   5 │         "ami": "ami-default",
   6 │         "instance_type": "t3a.small",
   7 │         "root_block_device": {
   8 │           "encrypted": true
   9 │         }
  10 └       }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


HIGH: Root block device is not encrypted.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf.json:4-10
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   4 ┌       "jumpbox": {
   5 │         "ami": "ami-default",
   6 │         "instance_type": "t3a.small",
   7 │         "root_block_device": {
   8 │           "encrypted": true
   9 │         }
  10 └       }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

nikpivkin · 2023-12-11T10:16:49Z

@simar7 It's the same problem as in #5081

simar7 · 2023-12-11T23:25:38Z

OK Closing as dupe and taking discussions over tither.

nikpivkin added scan/misconfiguration Issues relating to misconfiguration scanning kind/bug Categorizes issue or PR as related to a bug. labels Sep 1, 2023

simar7 assigned nikpivkin Dec 5, 2023

simar7 closed this as not planned Won't fix, can't repro, duplicate, stale Dec 11, 2023

simar7 mentioned this issue Jan 10, 2024

feat(misconf): Improve support for scanning Terraform plan JSON input #5907

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(misconf): false positive AVD-AWS-0131 #5099

fix(misconf): false positive AVD-AWS-0131 #5099

nikpivkin commented Sep 1, 2023

nikpivkin commented Dec 11, 2023

simar7 commented Dec 11, 2023

fix(misconf): false positive AVD-AWS-0131 #5099

fix(misconf): false positive AVD-AWS-0131 #5099

Comments

nikpivkin commented Sep 1, 2023

nikpivkin commented Dec 11, 2023

simar7 commented Dec 11, 2023