Insecure Configuration
Why is this important?
Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently; It is also a well known tool for implementing infrastructure-as-code. While official examples follow best security practices by default, there are instances where it can be configured insecurely, or security best practices are not yet enabled by default.
Missing ECR Image Scans
AWS ECR has the capability to scan an image. By default, image scanning must be manually triggered.
Option A: Enable Scan on Push
- Go through the issues that GuardRails identified.
- Locate either a missing
scan_of_push
argument, or where it's set tofalse
.
resource "aws_ecr_repository" "foo" {
name = "bar"
image_tag_mutability = "MUTABLE"
image_scanning_configuration {
scan_on_push = false
}
}
- Change the
scan_on_push
argument totrue
. - Test it
- Ship it 🚢 and relax 🌴
Legacy ABAC permissions
Option A: Enable RBAC
- Go through the issues that GuardRails identified.
- Locate either the
enable_legacy_abac
argument in thegoogle_container_cluster
resource. - Set
enable_legacy_abac
to false, or remove the argument entirely.