friedrichkurz.me

Tfsec Ignore Multiple Errors

by Friedrich Kurz 7 min read

How To Ignore Multiple tfsec Errors

I stumbled upon this today when I wanted to get a precommit hook running again that runs tfsec.

If we want to ignore multiple errors with tfsec, then we can use the -e flag and a comma separated string of error names.

tfsec -e ${error_names}

Example

Assuming we have a s3.tf like the following

# s3.tf
resource "aws_s3_bucket" "bad_example" {
    acl = "public-read"
}

TFSec will produce the following output:

$ tfsec

Result 1

[aws-s3-specify-public-access-block][MEDIUM] Resource aws_s3_bucket.bad_example has no associated aws_s3_bucket_public_access_block.
/tmp/s3.tf:1-3


      1 | resource "aws_s3_bucket" "bad_example" {
      2 |           acl = "public-read"
      3 |        }
      4 |

Legacy ID:  AWS098
Impact:     Public access policies may be applied to sensitive data buckets
Resolution: Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

Result 2

[aws-s3-enable-bucket-encryption][HIGH] Resource 'aws_s3_bucket.bad_example' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
/tmp/s3.tf:1-3


      1 | resource "aws_s3_bucket" "bad_example" {
      2 |           acl = "public-read"
      3 |        }
      4 |

Legacy ID:  AWS017
Impact:     The bucket objects could be read if compromised
Resolution: Configure bucket encryption

More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html

Result 3

[aws-s3-enable-bucket-logging][MEDIUM] Resource 'aws_s3_bucket.bad_example' does not have logging enabled.
/tmp/s3.tf:1-3


      1 | resource "aws_s3_bucket" "bad_example" {
      2 |           acl = "public-read"
      3 |        }
      4 |

Legacy ID:  AWS002
Impact:     There is no way to determine the access to this bucket
Resolution: Add a logging block to the resource to enable access logging

More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
- https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html

Result 4

[aws-s3-enable-versioning][MEDIUM] Resource 'aws_s3_bucket.bad_example' does not have versioning enabled
/tmp/s3.tf:1-3


      1 | resource "aws_s3_bucket" "bad_example" {
      2 |           acl = "public-read"
      3 |        }
      4 |

Legacy ID:  AWS077
Impact:     Deleted or modified data would not be recoverable
Resolution: Enable versioning to protect against accidental/malicious removal or modification

More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html

Result 5

[aws-s3-no-public-access-with-acl][CRITICAL] Resource 'aws_s3_bucket.bad_example' has an ACL which allows public access.
/tmp/s3.tf:2


      1 | resource "aws_s3_bucket" "bad_example" {
      2 |           acl = "public-read"    string: "public-read"
      3 |        }
      4 |

Legacy ID:  AWS001
Impact:     The contents of the bucket can be accessed publicly
Resolution: Apply a more restrictive bucket ACL

More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-access-with-acl
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/

times
------------------------------------------
disk i/o             851.341µs
parsing HCL          8.618µs
evaluating values    62.734µs
running checks       2.326057ms

counts
------------------------------------------
files loaded         1
blocks               1
modules              0

results
------------------------------------------
critical             1
high                 1
medium               3
low                  0
ignored              0

5 potential problems detected.

This is the case because the provisioned S3 bucket violates the following checks:

  • aws-s3-enable-versioning,
  • aws-s3-enable-bucket-encryption,
  • aws-s3-enable-bucket-logging,
  • aws-s3-no-public-access-with-acl, and
  • aws-s3-specify-public-access-block.

Obviously, we should not ignore TFSec errors in general. But, if for example it is safe to disable bucket versioning and logging for all S3 buckets, we can do so by passing the error names using the -e option.

For example, passing -e aws-s3-enable-versioning,aws-s3-enable-bucket-logging, will silence the errors due to missing bucket versioning and bucket logging:

$ tfsec -e aws-s3-enable-versioning,aws-s3-enable-bucket-logging

  Result 1

  [aws-s3-enable-bucket-encryption][HIGH] Resource 'aws_s3_bucket.bad_example' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
  /tmp/s3.tf:1-3


       1 | resource "aws_s3_bucket" "bad_example" {
       2 |          acl = "public-read"
       3 |        }
       4 |

  Legacy ID:  AWS017
  Impact:     The bucket objects could be read if compromised
  Resolution: Configure bucket encryption

  More Info:
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html

  Result 2

  [aws-s3-no-public-access-with-acl][CRITICAL] Resource 'aws_s3_bucket.bad_example' has an ACL which allows public access.
  /tmp/s3.tf:2


       1 | resource "aws_s3_bucket" "bad_example" {
       2 |          acl = "public-read"    string: "public-read"
       3 |        }
       4 |

  Legacy ID:  AWS001
  Impact:     The contents of the bucket can be accessed publicly
  Resolution: Apply a more restrictive bucket ACL

  More Info:
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-access-with-acl
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  - https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/

  Result 3

  [aws-s3-specify-public-access-block][MEDIUM] Resource aws_s3_bucket.bad_example has no associated aws_s3_bucket_public_access_block.
  /tmp/s3.tf:1-3


       1 | resource "aws_s3_bucket" "bad_example" {
       2 |          acl = "public-read"
       3 |        }
       4 |

  Legacy ID:  AWS098
  Impact:     Public access policies may be applied to sensitive data buckets
  Resolution: Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies

  More Info:
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

  times
  ------------------------------------------
  disk i/o             914.818µs
  parsing HCL          9.538µs
  evaluating values    75.55µs
  running checks       2.163667ms

  counts
  ------------------------------------------
  files loaded         1
  blocks               1
  modules              0

  results
  ------------------------------------------
  critical             1
  high                 1
  medium               1
  low                  0
  ignored              2

  3 potential problems detected.