We use GitHub Actions and tfsec to check our terraform code using static analysis to spot potential security issues. There are some checks that should be skipped:
| File | Issue ID | Impact | Resolution |
|---|---|---|---|
| modules/eks/main.tf | aws-eks-no-public-cluster-access | EKS can be accessed from the internet | By default we create a publicly accessible EKS cluster, the endpoint is secured by AWS auth. |
| modules/eks/main.tf | aws-eks-no-public-cluster-access-to-cidr | EKS can be accessed from the 0.0.0.0/0 | By default we create a publicly accessible EKS cluster, it's possible set to a more specific private CIDR range using cluster_endpoint_public_access_cidrs |
| modules/eks/main.tf | aws-eks-enable-control-plane-logging | Logging provides valuable information about access and usage | By default only audit is enabled, it's possible to override using var.eks_cluster_enabled_log_types. |
| modules/eks/security_groups.tf | aws-ec2-no-public-egress-sgr | Your port is egressing data to the internet | By default all resources in VPC can access 0.0.0.0/0. |
| modules/eks/security_groups.tf | aws-ec2-no-public-egress-sgr | Your port is egressing data to the internet | By default worker nodes can access 0.0.0.0/0. |
| modules/vpc/main.tf | aws-ec2-require-vpc-flow-logs-for-all-vpcs | Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues | By default it's disabled, it's possible to override using var.enable_vpc_log |
| modules/s3/main.tf | aws-s3-enable-bucket-logging | There is no way to determine the access to this bucket | By default it's disabled since only the app is allowed to access this bucket, it's possible to override using var.enable_log_bucket |
| modules/s3/main.tf | aws-s3-enable-versioning | Impossible to restore deleted files | By default it's disabled since we don't want to store historical data, it's possible to override using var.enable_bucket_versioning |
| modules/s3_role/main.tf | aws-iam-no-policy-wildcards | False-positive warning by tfsec | Ignore it, since it's a recommended way to define ARN policy for a bucket |
| modules/load-balancer-controller/main.tf | aws-iam-no-policy-wildcards | Load balancer controller has increased access to AWS resources | By default it's disabled since we could not predict resources ARNs at this stage |