terraspace
terraspace copied to clipboard
Published
20 hours ago •
boltops-tools
boltops-tools
The Bucket Policy ForceSSLOnlyAccess is added in a wrong way and Security Hub still mention it as unsecure
Checklist
- [X] Upgrade Terraspace: Are you using the latest version of Terraspace? This allows Terraspace to fix issues fast. There's an Upgrading Guide: https://terraspace.cloud/docs/misc/upgrading/
- [X] Reproducibility: Are you reporting a bug others will be able to reproduce and not asking a question. If you're unsure or want to ask a question, do so on https://community.boltops.com
- [X] Code sample: Have you put together a code sample to reproduce the issue and make it available? Code samples help speed up fixes dramatically. If it's an easily reproducible issue, then code samples are not needed. If you're unsure, please include a code sample.
My Environment
| Software | Version |
|---|---|
| Operating System | Podman Image bookworm/sid |
| Terraform | v1.3.0 |
| Terraspace | 2.2.2 |
| Ruby | ruby 3.0.3p157 (2021-11-24 revision 3fb7d2cadc) [x86_64-linux ] |
Expected Behaviour
I added the parameter "config.s3.enforce_ssl = true" in the aws.rb and terraspace should create the following bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ForceSSLOnlyAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET_ID/*",
"arn:aws:s3:::BUCKET_ID"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Current Behavior
The following Bucket Policy is being created and Security Hub still have the following finding: S3.5 S3 buckets should require requests to use Secure Socket Layer
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ForceSSLOnlyAccess",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET_ID/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Step-by-step reproduction instructions
Activate config.s3.enforce_ssl = true in aws.rb
Code Sample
TerraspacePluginAws.configure do |config|
config.auto_create = true # set to false to completely disable auto creation
config.tag_existing = true # if bucket or dynamodb already exists will tag them. Tags are appended.
config.s3.access_logging = true # false is the default setting
config.s3.block_public_access = true
config.s3.encryption = true
config.s3.enforce_ssl = true
config.s3.lifecycle = true
config.s3.versioning = true
config.s3.secure_existing = true # run the security controls on existing buckets. by default, only run on newly created bucket the first time
# config.s3.tags = {} # override config.tags setting
config.dynamodb.encryption = true
config.dynamodb.kms_master_key_id = "alias/aws/dynamodb"
config.dynamodb.sse_type = "KMS"
# config.dynamodb.tags = {} # override config.tags setting
end
Solution Suggestion
Add the policy which is suggested by AWS: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-5-remediation
