Update ecs.tf #6
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| name = "example" | ||
| } | ||
|
|
||
| resource "aws_ecs_cluster" "test" { |
There was a problem hiding this comment.
AWS ECS cluster with container insights feature disabled
Resource: aws_ecs_cluster.test | ID: BC_AWS_LOGGING_11
How to Fix
resource "aws_ecs_cluster" "foo" {
...
name = "white-hart"
+ setting {
+ name = "containerInsights"
+ value = "enabled"
+ }
}Description
Container Insights can be used to collect, aggregate, and summarize metrics and logs from containerized applications and microservices. They can also be extended to collect metrics at the cluster, task, and service levels. Using Container Insights allows you to monitor, troubleshoot, and set alarms for all your Amazon ECS resources. It provides a simple to use native and fully managed service for managing ECS issues.We recommend that for existing clusters you use the AWS CLI; and for new clusters, you use either the Amazon ECS console, or the AWS CLI.
| deletion_window_in_days = 7 | ||
| } | ||
|
|
||
| resource "aws_cloudwatch_log_group" "example" { |
There was a problem hiding this comment.
AWS resources that support tags do not have Tags
Resource: aws_cloudwatch_log_group.example | ID: BC_AWS_GENERAL_26
How to Fix
resource "aws_security_group" "sg" {
name = "my-sg"
...
+ tags = {
+ Environment = "dev"
+ Owner = "apps-team"
+ }
}Description
Many different types of AWS resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.View AWS's recommended tagging best practices here.
| deletion_window_in_days = 7 | ||
| } | ||
|
|
||
| resource "aws_cloudwatch_log_group" "example" { |
There was a problem hiding this comment.
AWS CloudWatch Log groups not configured with definite retention days
Resource: aws_cloudwatch_log_group.example | ID: BC_AWS_LOGGING_13
How to Fix
resource "aws_cloudwatch_log_group" "example" {
...
name = "example"
+ retention_in_days = 90
}Description
Enabling CloudWatch retention establishes how long log events are kept in AWS CloudWatch Logs. Retention settings are assigned to CloudWatch log groups and the retention period assigned to a log group is applied to their log streams. Any data older than the current retention setting is deleted automatically. You can change the log retention for each log group at any time.Log data is stored in CloudWatch Logs indefinitely by default, l. This may incur high unexpected costs, especially when combined with other forms of logging. We recommend you configure how long to store log data for in a log group to balance cost with compliance retention requirements.
Benchmarks
- FEDRAMP (MODERATE) AU-11, SI-12
| } | ||
| } | ||
|
|
||
| resource "aws_ecs_task_definition" "service" { |
There was a problem hiding this comment.
AWS resources that support tags do not have Tags
Resource: aws_ecs_task_definition.service | ID: BC_AWS_GENERAL_26
How to Fix
resource "aws_security_group" "sg" {
name = "my-sg"
...
+ tags = {
+ Environment = "dev"
+ Owner = "apps-team"
+ }
}Description
Many different types of AWS resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.View AWS's recommended tagging best practices here.
| deletion_window_in_days = 7 | ||
| } | ||
|
|
||
| resource "aws_cloudwatch_log_group" "example" { |
There was a problem hiding this comment.
AWS CloudWatch Log groups encrypted using default encryption key instead of KMS CMK
Resource: aws_cloudwatch_log_group.example | ID: BC_AWS_GENERAL_85
Description
Log group data requires mandatory encryption settings in CloudWatch Logs. Developers can optionally use AWS Key Management Service for this encryption. This approach has several limitations: - If you revoke CloudWatch Logs access to an associated CMK or delete an associated CMK, your encrypted data in CloudWatch Logs can no longer be retrieved. - You cannot associate a CMK with a log group using the CloudWatch console.| @@ -1,9 +1,47 @@ | |||
| resource "aws_kms_key" "example" { | |||
There was a problem hiding this comment.
AWS resources that support tags do not have Tags
Resource: aws_kms_key.example | ID: BC_AWS_GENERAL_26
How to Fix
resource "aws_security_group" "sg" {
name = "my-sg"
...
+ tags = {
+ Environment = "dev"
+ Owner = "apps-team"
+ }
}Description
Many different types of AWS resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.View AWS's recommended tagging best practices here.
| resource "aws_kms_key" "example" { | ||
| description = "example" | ||
| deletion_window_in_days = 7 | ||
| } |
There was a problem hiding this comment.
Suggested change
| } | |
| enable_key_rotation = true | |
| } |
AWS Customer Master Key (CMK) rotation is not enabled
Resource: aws_kms_key.example | ID: BC_AWS_LOGGING_8
Description
AWS Key Management Service (KMS) allows customers to rotate the backing key. This is where key material is stored within the KMS, and tied to the key ID of the Customer Created customer master key (CMK). The backing key is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys, allowing decryption of encrypted data to take place transparently.We recommend you enable CMK key rotation to help reduce the potential impact of a compromised key. Data encrypted with a new key cannot be accessed with a previous key, that may have been exposed.
Benchmarks
- PCI-DSS V3.2 3
- ISO27001 A.10.1.2
- CIS AWS V1.2 2.8
- PCI-DSS V3.2.1 3.6.4
- FEDRAMP (MODERATE) SC-12
- CIS AWS V1.3 3.8
| name = "example" | ||
| } | ||
|
|
||
| resource "aws_ecs_cluster" "test" { |
There was a problem hiding this comment.
AWS resources that support tags do not have Tags
Resource: aws_ecs_cluster.test | ID: BC_AWS_GENERAL_26
How to Fix
resource "aws_security_group" "sg" {
name = "my-sg"
...
+ tags = {
+ Environment = "dev"
+ Owner = "apps-team"
+ }
}Description
Many different types of AWS resources support tags. Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names. While there are many ways that tags can be used, we recommend you follow a tagging practice.View AWS's recommended tagging best practices here.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.