Add files via upload #57
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| Name = "${local.resource_prefix.value}-customer-master" | ||
| Environment = local.resource_prefix.value | ||
| } | ||
| resource "aws_lambda_function" "example_lambda" { |
There was a problem hiding this comment.
AWS resources that support tags do not have Tags
Resource: aws_lambda_function.example_lambda | Bridgecrew ID: BC_AWS_GENERAL_26 | Checkov ID: CKV_AWS_CUSTOM_1
How to Fix
resource "aws_security_group" "sg" {
name = "my-sg"
...
+ tags = {
+ Environment = "dev"
+ Owner = "apps-team"
+ }
}Description
Many different types of AWS resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.View AWS's recommended tagging best practices here.
| Name = "${local.resource_prefix.value}-customer-master" | ||
| Environment = local.resource_prefix.value | ||
| } | ||
| resource "aws_lambda_function" "example_lambda" { |
There was a problem hiding this comment.
AWS Lambda Function is not assigned to access within VPC
Resource: aws_lambda_function.example_lambda | Bridgecrew ID: BC_AWS_GENERAL_65 | Checkov ID: CKV_AWS_117
How to Fix
resource "aws_lambda_function" "test_lambda" {
...
vpc_config {
// Every subnet should be able to reach an EFS mount target in the same Availability Zone.
// Cross-AZ mounts are not permitted.
+ subnet_ids = [aws_subnet.subnet_for_lambda.id]
security_group_ids = [aws_security_group.sg_for_lambda.id]
}
}Description
By default, Lambda runs functions in a secure VPC with access to AWS services and the internet. Lambda owns this VPC, which isn't connected to the account's default VPC. Internet access from a private subnet requires Network Address Translation (NAT).To give your function access to the internet, route outbound traffic to a NAT gateway in a public subnet.
| WORKDIR $WORKDIR | ||
| COPY package*.json $WORKDIR | ||
| RUN npm install --production --no-cache | ||
| FROM node |
There was a problem hiding this comment.
Base image uses a latest version tag
Resource: /Dockerfile.FROM | Bridgecrew ID: BC_DKR_7 | Checkov ID: CKV_DOCKER_7
Description
When possible, it is recommended to pin the version for the base image in your Dockerfiles. There are a number of potential issues that may be caused when using the `latest` tag. Since `latest` is the default tag when a tag is not specified, it does not automatically refer to the latest version of the image. This can lead to the use of outdated images and in the case of production deployments, using a dynamic version can cause unexpected behavior and difficulty in determining which version is being currently used. It is best practice to be specific as possible about what is running to make operations predictable and reliable| WORKDIR $WORKDIR | ||
| COPY package*.json $WORKDIR | ||
| RUN npm install --production --no-cache | ||
| FROM node |
There was a problem hiding this comment.
Healthcheck instructions have not been added to container images
Resource: /Dockerfile. | Bridgecrew ID: BC_DKR_2 | Checkov ID: CKV_DOCKER_2
Description
We recommend that you add the HEALTHCHECK instruction to your Docker container images to ensure that health checks are executed against running containers.An important security control is that of availability. Adding the HEALTHCHECK instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational.
Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.
Benchmarks
- CIS DOCKER V1.2 4.6
| Name = "${local.resource_prefix.value}-customer-master" | ||
| Environment = local.resource_prefix.value | ||
| } | ||
| resource "aws_lambda_function" "example_lambda" { |
There was a problem hiding this comment.
AWS Lambda function is not configured for function-level concurrent execution Limit
Resource: aws_lambda_function.example_lambda | Bridgecrew ID: BC_AWS_GENERAL_63 | Checkov ID: CKV_AWS_115
How to Fix
resource "aws_lambda_function" "example" {
...
+ reserved_concurrent_executions = 100
}Description
Adding concurrency to Lambda initializes that number of execution environments for multiple parallel requests at low latency. However, this could spike costs and open the door for abuse. Adding concurrency limits can prevent a rapid spike in usage and costs, while also increasing or lowering the default concurrency limit.| WORKDIR $WORKDIR | ||
| COPY package*.json $WORKDIR | ||
| RUN npm install --production --no-cache | ||
| FROM node |
There was a problem hiding this comment.
A user for the container has not been created
Resource: /Dockerfile. | Bridgecrew ID: BC_DKR_3 | Checkov ID: CKV_DOCKER_3
Description
Containers should run as a non-root user. It is good practice to run the container as a non-root user, where possible. This can be done either via the ```USER``` directive in the ```Dockerfile``` or through ```gosu``` or similar where used as part of the ```CMD``` or ```ENTRYPOINT``` directives.Benchmarks
- CIS DOCKER V1.2 4.1
| timeout = 15 | ||
| memory_size = 256 | ||
| package_type = "Image" | ||
| image_uri = "node" | ||
| } |
There was a problem hiding this comment.
Suggested change
| } | |
| tracing_config { | |
| mode = "PassThrough" | |
| } | |
| } |
AWS Lambda functions with tracing not enabled
Resource: aws_lambda_function.example_lambda | Bridgecrew ID: BC_AWS_SERVERLESS_4 | Checkov ID: CKV_AWS_50
How to Fix
tracing_config {
mode = "Active"
}Description
X-Ray tracing in lambda functions allows you to visualize and troubleshoot errors and performance bottlenecks, and investigate requests that resulted in an error.| Name = "${local.resource_prefix.value}-customer-master" | ||
| Environment = local.resource_prefix.value | ||
| } | ||
| resource "aws_lambda_function" "example_lambda" { |
There was a problem hiding this comment.
AWS Lambda function is not configured for a DLQ
Resource: aws_lambda_function.example_lambda | Bridgecrew ID: BC_AWS_GENERAL_64 | Checkov ID: CKV_AWS_116
How to Fix
resource "aws_lambda_function" "test_lambda" {
...
+ dead_letter_config {
+ target_arn = "test"
+ }
}Description
Setting up a DLQ offers the possibility to investigate errors or failed requests to the connected Lambda function.As an alternative it is possible to configure an on-failure destination target, which forwards a failed event to a DLQ, SNS Topic, Lambda function or EventBridge.
It is always important to understand why your application/function failed and to ensure that no data was dropped or compromised. Lambda functions are often used to process security related data like CloudTrail events and a failed delivery to a dependent system can result in an unnoticed security breach.
| Name = "${local.resource_prefix.value}-financials" | ||
| Environment = local.resource_prefix.value | ||
| } | ||
| resource "aws_iam_role" "lambda_exec" { |
There was a problem hiding this comment.
AWS resources that support tags do not have Tags
Resource: aws_iam_role.lambda_exec | Bridgecrew ID: BC_AWS_GENERAL_26 | Checkov ID: CKV_AWS_CUSTOM_1
How to Fix
resource "aws_security_group" "sg" {
name = "my-sg"
...
+ tags = {
+ Environment = "dev"
+ Owner = "apps-team"
+ }
}Description
Many different types of AWS resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.View AWS's recommended tagging best practices here.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.