Insecure Configuration

Why is this important?

Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently; It is also a well known tool for implementing infrastructure-as-code. While official examples follow best security practices by default, there are instances where it can be configured insecurely, or security best practices are not yet enabled by default.

Missing ECR Image Scans

AWS ECR has the capability to scan an image. By default, image scanning must be manually triggered.

Option A: Enable Scan on Push

1. Go through the issues that GuardRails identified.
2. Locate either a missing scan_of_push argument, or where it's set to false.

resource "aws_ecr_repository" "foo" {
  name                 = "bar"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = false
  }
}

3. Change the scan_on_push argument to true.
4. Test it
5. Ship it 🚢 and relax 🌴

Legacy ABAC permissions

Option A: Enable RBAC

1. Go through the issues that GuardRails identified.
2. Locate either the enable_legacy_abac argument in the google_container_cluster resource.
3. Set enable_legacy_abac to false, or remove the argument entirely.