Terraform Analyzer Updates – May 2021

Terraform Analyzer Updates

We have added 58 new issues to our Terraform Analyzer to help you find many more issues on your Terraform code. Newly added issues detect violations of AWS’s security best practice recommendation. We have also updated all new and existing issues with better descriptions, references, and examples.

Here are some of the newly added issues:

KMS key is not configured to auto-rotate

Not recommended:

resource "aws_kms_key" "not_recommended" {
	enable_key_rotation = false
}

Recommended:

resource "aws_kms_key" "recommended" {
	enable_key_rotation = true
}

Related:

API Gateway domain name uses outdated SSL/TLS protocols

Not recommended:

resource "aws_api_gateway_domain_name" "not_recommended" {
	security_policy = "TLS_1_0"
}

Recommended:

resource "aws_api_gateway_domain_name" "recommended" {
	security_policy = "TLS_1_2"
}

Related:

IAM Password policy should prevent password reuse

Not recommended:

resource "aws_iam_account_password_policy" "not_recommended" {
	# ...
	password_reuse_prevention = 1
	# ...
}

Recommended:

resource "aws_iam_account_password_policy" "recommended" {
	# ...
	password_reuse_prevention = 5
	# ...
}

Related:

AWS provider has access credentials specified

Not recommended:

provider "aws" {
  access_key = "AKIBAGFV52QAZWSX9OPE"
  secret_key = "s1f0xdse7obcd5ophgs4"
}

Recommended:

provider "aws" {

}

Related:

EFS Encryption has not been enabled

Not recommended:

resource "aws_efs_file_system" "not_recommended" {
  name       = "fuse"
  encrypted  = false
  kms_key_id = ""
}

Recommended:

resource "aws_efs_file_system" "recommended" {
  name       = "fuse"
  encrypted  = true
  kms_key_id = "your/kms/key"
}

Related:

An ingress Network ACL rule allows specific ports from /0

Not recommended:

resource "aws_network_acl_rule" "not_recommended" {
  egress         = false
  protocol       = "tcp"
  from_port      = 22
  to_port        = 22
  rule_action    = "allow"
  cidr_block     = "0.0.0.0/0"
}

Recommended:

resource "aws_network_acl_rule" "recommended" {
  egress         = false
  protocol       = "tcp"
  from_port      = 22
  to_port        = 22
  rule_action    = "allow"
  cidr_block     = "10.0.0.0/16"
}

Related:

An ingress Network ACL rule allows all ports from /0

Not recommended:

resource "aws_network_acl_rule" ""not_recommended"" {
  egress         = false
  protocol       = "all"
  rule_action    = "allow"
  cidr_block     = "10.0.0.0/16"
}

Recommended:

resource "aws_network_acl_rule" "recommended" {
  egress         = false
  protocol       = "tcp"
  from_port      = 22
  to_port        = 22
  rule_action    = "allow"
  cidr_block     = "10.0.0.0/16"
}

Related:

RDS encryption not enabled at a database instance level

Not recommended:

resource "aws_db_instance" "not_recommended" {
    # ...
}

Recommended:

resource "aws_db_instance" "recommended" {
    # ...
	storage_encrypted  = true
    # ...
}

Related:

CloudFront distribution should have Access Logging configured

Not recommended:

resource "aws_cloudfront_distribution" "not_recommended" {
	# configurations (excluding "logging_config")
}

Recommended:

resource "aws_cloudfront_distribution" "recommended" {
	# ...
	logging_config {
		include_cookies = false
		bucket          = "bkt.s3.amazonaws.com"
		prefix          = "cdn"
	}
}

Related:

Kinesis stream is unencrypted

Not recommended:

resource "aws_kinesis_stream" "not_recommended" {
	encryption_type = "NONE"
}

Recommended:

resource "aws_kinesis_stream" "recommended" {
	encryption_type = "KMS"
	kms_key_id = "your/kms/key"
}

Related: