How To Ignore Multiple tfsec Errors
I stumbled upon this today when I wanted to get a precommit hook running again that runs tfsec.
If we want to ignore multiple errors with tfsec, then we can use the -e
flag and a comma separated string of error names.
tfsec -e ${error_names}
Example
Assuming we have a s3.tf like the following
# s3.tf
resource "aws_s3_bucket" "bad_example" {
acl = "public-read"
}
TFSec will produce the following output:
tfsec
$
Result 1
aws-s3-specify-public-access-block][MEDIUM] Resource aws_s3_bucket.bad_example has no associated aws_s3_bucket_public_access_block.
[/tmp/s3.tf:1-3
1 | resource "aws_s3_bucket" "bad_example" {
2 | acl = "public-read"
3 | }
4 |
Legacy ID: AWS098
Impact: Public access policies may be applied to sensitive data buckets
Resolution: Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies
More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
Result 2
aws-s3-enable-bucket-encryption][HIGH] Resource 'aws_s3_bucket.bad_example' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
[/tmp/s3.tf:1-3
1 | resource "aws_s3_bucket" "bad_example" {
2 | acl = "public-read"
3 | }
4 |
Legacy ID: AWS017
Impact: The bucket objects could be read if compromised
Resolution: Configure bucket encryption
More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
Result 3
aws-s3-enable-bucket-logging][MEDIUM] Resource 'aws_s3_bucket.bad_example' does not have logging enabled.
[/tmp/s3.tf:1-3
1 | resource "aws_s3_bucket" "bad_example" {
2 | acl = "public-read"
3 | }
4 |
Legacy ID: AWS002
Impact: There is no way to determine the access to this bucket
Resolution: Add a logging block to the resource to enable access logging
More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
- https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
Result 4
aws-s3-enable-versioning][MEDIUM] Resource 'aws_s3_bucket.bad_example' does not have versioning enabled
[/tmp/s3.tf:1-3
1 | resource "aws_s3_bucket" "bad_example" {
2 | acl = "public-read"
3 | }
4 |
Legacy ID: AWS077
Impact: Deleted or modified data would not be recoverable
Resolution: Enable versioning to protect against accidental/malicious removal or modification
More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
Result 5
aws-s3-no-public-access-with-acl][CRITICAL] Resource 'aws_s3_bucket.bad_example' has an ACL which allows public access.
[/tmp/s3.tf:2
1 | resource "aws_s3_bucket" "bad_example" {
2 | acl = "public-read" string: "public-read"
3 | }
4 |
Legacy ID: AWS001
Impact: The contents of the bucket can be accessed publicly
Resolution: Apply a more restrictive bucket ACL
More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-access-with-acl
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
times
------------------------------------------
disk i/o 851.341µs
parsing HCL 8.618µs
evaluating values 62.734µs
running checks 2.326057ms
counts
------------------------------------------
files loaded 1
blocks 1
modules 0
results
------------------------------------------
critical 1
high 1
medium 3
low 0
ignored 0
5 potential problems detected.
This is the case because the provisioned S3 bucket violates the following checks:
- aws-s3-enable-versioning,
- aws-s3-enable-bucket-encryption,
- aws-s3-enable-bucket-logging,
- aws-s3-no-public-access-with-acl, and
- aws-s3-specify-public-access-block.
Obviously, we should not ignore TFSec errors in general. But, if for example it is safe to disable bucket versioning and logging for all S3 buckets, we can do so by passing the error names using the -e
option.
For example, passing -e aws-s3-enable-versioning,aws-s3-enable-bucket-logging
, will silence the errors due to missing bucket versioning and bucket logging:
tfsec -e aws-s3-enable-versioning,aws-s3-enable-bucket-logging
$
Result 1
aws-s3-enable-bucket-encryption][HIGH] Resource 'aws_s3_bucket.bad_example' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
[/tmp/s3.tf:1-3
1 | resource "aws_s3_bucket" "bad_example" {
2 | acl = "public-read"
3 | }
4 |
Legacy ID: AWS017
Impact: The bucket objects could be read if compromised
Resolution: Configure bucket encryption
More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-encryption
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
Result 2
aws-s3-no-public-access-with-acl][CRITICAL] Resource 'aws_s3_bucket.bad_example' has an ACL which allows public access.
[/tmp/s3.tf:2
1 | resource "aws_s3_bucket" "bad_example" {
2 | acl = "public-read" string: "public-read"
3 | }
4 |
Legacy ID: AWS001
Impact: The contents of the bucket can be accessed publicly
Resolution: Apply a more restrictive bucket ACL
More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/no-public-access-with-acl
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
Result 3
aws-s3-specify-public-access-block][MEDIUM] Resource aws_s3_bucket.bad_example has no associated aws_s3_bucket_public_access_block.
[/tmp/s3.tf:1-3
1 | resource "aws_s3_bucket" "bad_example" {
2 | acl = "public-read"
3 | }
4 |
Legacy ID: AWS098
Impact: Public access policies may be applied to sensitive data buckets
Resolution: Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies
More Info:
- https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/specify-public-access-block
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
times
------------------------------------------
disk i/o 914.818µs
parsing HCL 9.538µs
evaluating values 75.55µs
running checks 2.163667ms
counts
------------------------------------------
files loaded 1
blocks 1
modules 0
results
------------------------------------------
critical 1
high 1
medium 1
low 0
ignored 2
3 potential problems detected.