aquasecurity
check: resources defined with AWS Cloud Control provider
Hashicorp has just released a new AWS Cloud Control (awscc) provider, which provides an alternate mechanism for provisioning AWS resources.
This new provider has different advantages and disadvantages compared with the traditional aws provider – one of the disadvantages is that tfsec AWS checks do not report security misconfigurations for resources created with the awscc provider.
Complicating this is the fact that resources created with both providers can interact with each other. An AWS YouTube presentation shows a simple example of an S3 bucket created with awscc and an S3 public block resource created with aws – currently tfsec does not report any findings for that configuration (reproduced in slightly modified form below).
Describe the solution you'd like
tfsec AWS rules should generate the same output for resources defined with the awscc provider as they do for the aws provider
Additional context
main.tf using both awscc and aws to create an S3 bucket, adapted from presentation linked above
terraform {
required_version = ">= 1.0.5"
required_providers {
awscc = {
source = "hashicorp/awscc"
version = "~> 0.1"
}
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
# Configure the AWS Provider
provider "awscc" {
region = "eu-central-1"
}
provider "aws" {
region = "eu-central-1"
}
# Create S3 bucket
resource "awscc_s3_bucket" "mybucket" {
bucket_name = "tfsec-awscc-bucket-example"
}
# Create S3 block public access
resource "aws_s3_bucket_public_access_block" "mybucket-block" {
bucket = awscc_s3_bucket.mybucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
Results of running tfsec 0.63.1 on this file:
times
------------------------------------------
disk i/o 589.479µs
parsing HCL 23.996µs
evaluating values 132.506µs
running checks 1.33993ms
counts
------------------------------------------
files loaded 1
blocks 5
modules 0
results
------------------------------------------
critical 0
high 0
medium 0
low 0
ignored 0
No problems detected!
With an equivalent version using only aws resources, exactly three results are generated, for
- aws-s3-enable-bucket-encryption (HIGH)
- aws-s3-enable-bucket-logging (MEDIUM)
- aws-s3-enable-versioning (MEDIUM)
terraform {
required_version = ">= 1.0.5"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
provider "aws" {
region = "eu-central-1"
}
# Create S3 bucket
resource "aws_s3_bucket" "mybucket" {
bucket_name = "tfsec-awscc-bucket-example"
}
# Create S3 block public access
resource "aws_s3_bucket_public_access_block" "mybucket-block" {
bucket = aws_s3_bucket.mybucket.arn
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I think we could do this inside the AWS adapters by requesting resource names with both prefixes everywhere. :thinking:
I think we could do this inside the AWS adapters by requesting resource names with both prefixes everywhere. thinking
Turns out this is much more complicated, attribute names/layouts are generated and differ from the standard aws provider.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
This issue was closed because it has been stalled for 7 days with no activity.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.