Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inverted logic in rule AVD-AWS-0141 #5452

Closed
nikpivkin opened this issue Oct 26, 2023 · 0 comments · Fixed by aquasecurity/trivy-iac#37
Closed

Inverted logic in rule AVD-AWS-0141 #5452

nikpivkin opened this issue Oct 26, 2023 · 0 comments · Fixed by aquasecurity/trivy-iac#37
Assignees
@simar7 @nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.48.0

Comments

@nikpivkin
Copy link
Contributor

The key is active and the Trivy does not alert.

resource "aws_iam_access_key" "this" {
 	user = "root"
	status = "Active"
}
trivy conf iam-key
2023-10-26T16:25:59.639+0700    INFO    Misconfiguration scanning is enabled
2023-10-26T16:26:00.055+0700    INFO    Detected config files: 2

The key is inactive and Trivy warns:

resource "aws_iam_access_key" "this" {
 	user = "root"
	status = "Inactive"
}
trivy conf iam-key
2023-10-26T16:26:34.436+0700    INFO    Misconfiguration scanning is enabled
2023-10-26T16:26:34.844+0700    INFO    Detected config files: 2

main.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Access key exists for root user
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

CIS recommends that all access keys be associated with the root user be removed. Removing access keys associated with the root user limits vectors that the account can be compromised by. Removing the root user access keys also encourages the creation and use of role-based accounts that are least privileged.


See https://avd.aquasec.com/misconfig/avd-aws-0141
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:1-4
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_iam_access_key" "this" {
   2 │          user = "root"
   3 │  status = "Inactive"
   4 └ }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Oct 26, 2023
@nikpivkin nikpivkin mentioned this issue Oct 26, 2023
Merged
@simar7 simar7 added this to the v0.47.0 milestone Oct 30, 2023
@simar7 simar7 modified the milestones: v0.47.0, v0.48.0 Nov 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.48.0
Development

Successfully merging a pull request may close this issue.

fix(terraform): improve the adaptation of IAM resources nikpivkin/trivy-iac
2 participants
@simar7 @nikpivkin