Fix security violations #1

yi2020 · 2020-12-02T21:49:59Z

When using this module with a public subnet, the Consul server is exposed on port 22 to the Internet, and also is using IMDSv1. Found this out by running Indeni Cloudrail against a TF file using this module (see below).

I'll open a PR to fix this.

main.tf:

provider "aws"{
  region = "us-east-1"
}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "2.48.0"

  name = "Ec2RoleShareRule1"
  azs             = ["us-east-1a", "us-east-1b", "us-east-1c"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = true
  enable_vpn_gateway = true

  cidr = "10.0.0.0/16"
  manage_default_security_group= true
  default_security_group_ingress = [
          {
      from_port   = 22
      to_port     = 22
      protocol    = "tcp"
      description = "ssh"
      cidr_blocks = "0.0.0.0/0"
    }]
  default_security_group_egress =[]
}

module "consul" {
  source = "git::https://github.com/DavidWittman/terraform-consul-asg.git"

  vpc_id = module.vpc.vpc_id
  subnet_ids = module.vpc.public_subnets
  key_name = "cloudrail_test"

}

Indeni Cloudrail output:

Rule: Ensure no used security groups allow ingress from 0.0.0.0/0 or ::/0 to port 22 (SSH)
 - 3 Resources Exposed:
-----------------------------------------------
   - Exposed Resource: [consul-asg - module.consul.aws_launch_configuration.consul.name-pseudo-instance-subnet-Ec2RoleShareRule1-public-us-east-1a] (Not found in TF)
     Violating Resource: [module.consul.aws_security_group.consul]  (.terraform/modules/consul/main.tf:112)

     Evidence:
         Internet
             | Subnet module.vpc.aws_subnet.public[0] has Internet Gateway
             | Instance consul-asg - module.consul.aws_launch_configuration.consul.name-pseudo-instance-subnet-Ec2RoleShareRule1-public-us-east-1a is on module.vpc.aws_subnet.public[0]
             | Subnet routes traffic from instance to Internet Gateway
             | Subnet uses NACL nacl-pseudo-4be3fb72-2542-445e-940f-9883516f8662 which allows port 22
             | Instance uses Security Group ['module.consul.aws_security_group.consul']
             | Security Group allows port 22
         Instance


   - Exposed Resource: [consul-asg - module.consul.aws_launch_configuration.consul.name-pseudo-instance-subnet-Ec2RoleShareRule1-public-us-east-1b] (Not found in TF)
     Violating Resource: [module.consul.aws_security_group.consul]  (.terraform/modules/consul/main.tf:112)

     Evidence:
         Internet
             | Subnet module.vpc.aws_subnet.public[1] has Internet Gateway
             | Instance consul-asg - module.consul.aws_launch_configuration.consul.name-pseudo-instance-subnet-Ec2RoleShareRule1-public-us-east-1b is on module.vpc.aws_subnet.public[1]
             | Subnet routes traffic from instance to Internet Gateway
             | Subnet uses NACL nacl-pseudo-4be3fb72-2542-445e-940f-9883516f8662 which allows port 22
             | Instance uses Security Group ['module.consul.aws_security_group.consul']
             | Security Group allows port 22
         Instance


   - Exposed Resource: [consul-asg - module.consul.aws_launch_configuration.consul.name-pseudo-instance-subnet-Ec2RoleShareRule1-public-us-east-1c] (Not found in TF)
     Violating Resource: [module.consul.aws_security_group.consul]  (.terraform/modules/consul/main.tf:112)

     Evidence:
         Internet
             | Subnet module.vpc.aws_subnet.public[2] has Internet Gateway
             | Instance consul-asg - module.consul.aws_launch_configuration.consul.name-pseudo-instance-subnet-Ec2RoleShareRule1-public-us-east-1c is on module.vpc.aws_subnet.public[2]
             | Subnet routes traffic from instance to Internet Gateway
             | Subnet uses NACL nacl-pseudo-4be3fb72-2542-445e-940f-9883516f8662 which allows port 22
             | Instance uses Security Group ['module.consul.aws_security_group.consul']
             | Security Group allows port 22
         Instance


-----------------------------------------------
Rule: Ensure IMDSv2 is used and IMDSv1 is disabled
 - 1 Resources Exposed:
-----------------------------------------------
   - Exposed Resource: [module.consul.aws_launch_configuration.consul] (.terraform/modules/consul/main.tf:141)
     Violating Resource: [module.consul.aws_launch_configuration.consul]  (.terraform/modules/consul/main.tf:141)

     Evidence:
             | The Launch Configuration module.consul.aws_launch_configuration.consul is allowing IMDSv1
-----------------------------------------------

Cloudrail has listed "pseudo" objects in the above results.
These are resources that don't exist yet, or don't show in the Terraform input, but we know will be created in the real live environment.

Some of the data sources blocks you’ve used could not be evaluated during plan time.
As a result, the contents in these blocks were not included in Cloudrail’s analysis:
  * module.consul.data.aws_ami.centos
  * module.consul.data.aws_region.current
  * module.consul.data.template_file.install

Summary:
2 Rules Violated:
  0 Mandated Rules (these are considered FAILURES)
  2 Advisory Rules (these are considered WARNINGS)
66 Rules Passed

The text was updated successfully, but these errors were encountered:

… needed anymore, can remove that) and now using IMDSv2 via launch template

yi2020 added a commit to yi2020/terraform-consul-asg that referenced this issue Dec 2, 2020

DavidWittman#1 Removed the SSH rule (which means the key isn't really…

6137890

… needed anymore, can remove that) and now using IMDSv2 via launch template

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix security violations #1

Fix security violations #1

yi2020 commented Dec 2, 2020 •

edited

Loading

Fix security violations #1

Fix security violations #1

Comments

yi2020 commented Dec 2, 2020 • edited Loading

yi2020 commented Dec 2, 2020 •

edited

Loading