Updates tfsec/chekov ignores | S3 Enable Logging/Versioning

No changes are occurring

Ignore comments for aws-s3-enable-bucket-logging; aws-s3-enable-versioning and Checkov equivalent; S3 Data should be versioned - Bucket does not have versioning enabled

# Globally ignore the checks for tfsec
  ignored_tfsec = [
    "aws-s3-enable-bucket-logging", # TODO: We do not currently log s3 access.

ID         - aws-s3-enable-bucket-logging
Severity   - High
Impact     - Overly permissive policies may grant access to sensitive resources
Resolution - Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

tfsec       - https://aquasecurity.github.io/tfsec/v1.27.1/checks/aws/iam/no-policy-wildcards/
checkov     - https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
tf registry - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
AWS         - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

ID         - aws-s3-enable-versioning
Severity   - Medium
Impact     - Deleted or modified data would not be recoverable
Resolution - Enable versioning to protect against accidental/malicious removal or modification

More Information
tfsec      - https://aquasecurity.github.io/tfsec/v1.27.1/checks/aws/s3/enable-versioning/
checkov    - https://docs.bridgecrew.io/docs/s3_16-enable-versioning

To be tagged as v5.3.1

base/CA_Infrastructure/root_CA/audit_bucket.tf

@@ -1,11 +1,13 @@
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date enable everywhere at a later date if required
 resource "aws_s3_bucket" "audit_reports" {
+  # checkov:skip=CKV2_AWS_6: see tfsec S3 block policy
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_144: TODO: cross replication
   # checkov:skip=CKV_AWS_145: Risk is low for AES-256 encryption
-	# checkov:skip=CKV2_AWS_6: see tfsec S3 block policy
-	# checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  
   provider = aws.c2 # The reports go in the c2 bucket
   bucket   = "xdr-ca-audit-reports"
-
-  tags = merge(local.standard_tags, var.tags)
+  tags     = merge(local.standard_tags, var.tags)
 
 }
 

base/account_standards_c2/elb_bucket.tf

@@ -43,7 +43,7 @@ resource "aws_s3_bucket_logging" "elb_logging_bucket" {
   target_prefix = "${var.aws_account_id}-${var.aws_region}-elblogs/"
 }
 
-# tfsec:ignore:aws-s3-encryption-customer-key
+# tfsec:ignore:aws-s3-encryption-customer-key Risk is low for AES-256 encryption
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_elb_logging_bucket" {
   bucket = aws_s3_bucket.elb_logging_bucket.id
 

base/codebuild_ecr_base/s3.tf

@@ -1,9 +1,11 @@
 # S3 bucket for codebuild output
 # tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
 # tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "artifacts" {
-  # checkov:skip=CKV_AWS_144: Cross-region replication TODO
-	# checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_144: TODO: cross replication
+  
   bucket        = "xdr-codebuild-artifacts"
   force_destroy = true
 }

base/codebuild_portal_lambda/s3.tf

@@ -5,7 +5,12 @@ locals {
 }
 
 #S3 bucket for codebuild output
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "bucket" {
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_21: versioning Suspended for this bucket
+  # checkov:skip=CKV_AWS_144: TODO: cross replication
+
   bucket        = local.bucket_name
   force_destroy = true
   tags          = merge(local.standard_tags, var.tags)
@@ -16,6 +21,7 @@ resource "aws_s3_bucket_acl" "s3_acl_bucket" {
   acl    = "private"
 }
 
+# tfsec:ignore:aws-s3-enable-versioning versioning Suspended for this bucket
 resource "aws_s3_bucket_versioning" "s3_version_bucket" {
   bucket = aws_s3_bucket.bucket.id
   versioning_configuration {
@@ -25,6 +31,7 @@ resource "aws_s3_bucket_versioning" "s3_version_bucket" {
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
   bucket = aws_s3_bucket.bucket.id
+
   rule {
     apply_server_side_encryption_by_default {
       kms_master_key_id = aws_kms_key.s3_codebuild.arn

base/customer_portal_lambda/s3.tf

@@ -1,4 +1,10 @@
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
+# tfsec:ignore:aws-s3-enable-versioning versioning Suspended for this bucket
 resource "aws_s3_bucket" "bucket" {
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_21: versioning Suspended for this bucket
+  # checkov:skip=CKV_AWS_144: TODO: cross replication
+
   bucket        = "xdr-portal-lambda-${var.environment}"
   force_destroy = true
 }
@@ -61,6 +67,8 @@ resource "aws_kms_key" "key" {
 }
 
 data "aws_iam_policy_document" "kms_policy_document" {
+  # checkov:skip=CKV_AWS_109: see tfsec aws-iam-no-policy-wildcard ignore comment
+  # checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
   statement {
     sid    = "AllowServices"
     effect = "Allow"

base/generic_s3_bucket_with_role/s3.tf

@@ -1,4 +1,8 @@
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "bucket" {
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_144: TODO: cross replication
+  
   bucket = local.fullname
   tags   = merge(local.standard_tags, var.tags)
 }
@@ -17,6 +21,7 @@ resource "aws_s3_bucket_acl" "s3_acl_bucket" {
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
   bucket = aws_s3_bucket.bucket.id
+
   rule {
     apply_server_side_encryption_by_default {
       kms_master_key_id = aws_kms_key.bucketkey.arn

base/github_actions_s3_bucket/main.tf

@@ -4,9 +4,12 @@ locals {
   account_arns = [for a in local.accounts : "arn:${var.aws_partition}:iam::${a}:root"]
 }
 
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "bucket" {
-  bucket = local.bucket_name
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_144: TODO: cross replication
 
+  bucket = local.bucket_name
   tags   = merge(local.standard_tags, var.tags)
 }
 

base/globally_accessible_bucket/main.tf

@@ -15,10 +15,16 @@ locals {
   final_accounts = concat(local.customer_accounts_arn, local.xdr_accounts, local.extra_accounts)
 }
 
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "bucket" {
-  bucket = var.name
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_19: False positive due to var.encryption
+  # checkov:skip=CKV_AWS_21: versioning Suspended for this bucket
+  # checkov:skip=CKV_AWS_144: TODO: cross replication
+  # checkov:skip=CKV_AWS_145: False positive due to var.encryption
 
-  tags = merge(local.standard_tags, var.tags)
+  bucket = var.name
+  tags   = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_s3_bucket_acl" "s3_acl_bucket" {
@@ -26,6 +32,7 @@ resource "aws_s3_bucket_acl" "s3_acl_bucket" {
   acl    = "private"
 }
 
+# tfsec:ignore:aws-s3-enable-versioning versioning Suspended for this bucket
 resource "aws_s3_bucket_versioning" "s3_version_bucket" {
   bucket = aws_s3_bucket.bucket.id
   versioning_configuration {

base/phantom_s3_bucket/main.tf

@@ -6,7 +6,12 @@ locals {
     aws_iam_role.phantom_s3_role.arn
   ]
 }
+
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "bucket" {
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_144: TODO: cross replication
+  
   bucket = local.bucket_name
   tags   = merge(local.standard_tags, var.tags)
 }
@@ -22,6 +27,7 @@ resource "aws_s3_bucket_acl" "s3_acl_bucket" {
 }
 resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
   bucket = aws_s3_bucket.bucket.id
+
   rule {
     apply_server_side_encryption_by_default {
       kms_master_key_id = aws_kms_key.bucketkey.arn

base/shared_ami_key/main.tf

@@ -58,15 +58,17 @@ module "shared_ami_key" {
 # tfsec:ignore:aws-s3-block-public-policy 
 # tfsec:ignore:aws-s3-ignore-public-acls
 # tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
+# tfsec:ignore:aws-s3-enable-versioning versioning Suspended for this bucket
 resource "aws_s3_bucket" "xdr-shared-amis" {
-	# checkov:skip=CKV_AWS_21: Versioning TODO
-	# checkov:skip=CKV_AWS_144: Cross-region replication TODO
+  # checkov:skip=CKV2_AWS_6: see tfsec S3 block policy
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_21: Versioning TODO
+  # checkov:skip=CKV_AWS_144: Cross-region replication TODO
   # checkov:skip=CKV_AWS_145: Risk is low for AES-256 encryption
-	# checkov:skip=CKV2_AWS_6: see tfsec S3 block policy
-	# checkov:skip=CKV_AWS_18: see tfsec S3 logging above
-  bucket = var.ami_bucket_name
 
-  tags = merge(local.standard_tags, var.tags)
+  bucket = var.ami_bucket_name
+  tags   = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_s3_bucket_acl" "s3_acl_xdr-shared-amis" {

base/splunk_servers/app_s3_bucket/main.tf

@@ -4,10 +4,14 @@ locals {
   account_arns = [for a in local.accounts : "arn:${var.aws_partition}:iam::${a}:root"]
 }
 
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "bucket" {
-  bucket = local.bucket_name
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_21: We don't version frozen data
+  # checkov:skip=CKV_AWS_144: Cross-region replication TODO
 
-  tags = merge(local.standard_tags, var.tags)
+  bucket = local.bucket_name
+  tags   = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_s3_bucket_acl" "s3_acl_bucket" {
@@ -15,7 +19,7 @@ resource "aws_s3_bucket_acl" "s3_acl_bucket" {
   acl    = "private"
 }
 
-# tfsec:ignore:aws-s3-enable-versioning no versioning needed
+# tfsec:ignore:aws-s3-enable-versioning We don't version frozen data
 resource "aws_s3_bucket_versioning" "s3_version_bucket" {
   bucket = aws_s3_bucket.bucket.id
   versioning_configuration {

base/splunk_servers/frozen_s3_bucket/main.tf

@@ -4,10 +4,14 @@ locals {
   account_arns = [for a in local.accounts : "arn:${var.aws_partition}:iam::${a}:root"]
 }
 
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "bucket" {
-  bucket = local.bucket_name
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_21: We don't version frozen data
+  # checkov:skip=CKV_AWS_144: Cross-region replication TODO
 
-  tags = merge(local.standard_tags, var.tags)
+  bucket = local.bucket_name
+  tags   = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_s3_bucket_acl" "s3_acl_bucket" {

base/splunk_servers/smartstore_s3_bucket/main.tf

@@ -4,10 +4,13 @@ locals {
   account_arns = [for a in local.accounts : "arn:${var.aws_partition}:iam::${a}:root"]
 }
 
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "bucket" {
-  bucket = local.bucket_name
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_144: Cross-region replication TODO
 
-  tags = merge(local.standard_tags, var.tags)
+  bucket = local.bucket_name
+  tags   = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_s3_bucket_acl" "s3_acl_bucket" {

base/teleport-single-instance/s3.tf

@@ -5,7 +5,10 @@ session replays and SSL certificates.
 */
 
 // S3 bucket for cluster storage
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "storage" {
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_144: Cross-region replication TODO
   bucket        = "${var.instance_name}-${var.environment}"
   force_destroy = var.instance_termination_protection ? false : true # reverse of termination protection, destroy if no termination protection
 }

base/tfstate/tfstate-s3/s3.tf

@@ -1,6 +1,9 @@
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "tfstate" {
-  bucket = var.bucket_name
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_144: Cross-region replication TODO
 
+  bucket     = var.bucket_name
   depends_on = [var.module_depends_on]
 }
 

base/vmray_instances/s3.tf

@@ -5,7 +5,11 @@ data.
 */
 
 // S3 bucket for cluster storage
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
 resource "aws_s3_bucket" "storage" {
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_144: Cross-region replication TODO
+  
   bucket        = "xdr-${var.environment}-vmray-backups"
   force_destroy = var.instance_termination_protection ? false : true # reverse of termination protection, destroy if no termination protection
 }

thirdparty/terraform-aws-github-runner/modules/runner-binaries-syncer/main.tf

@@ -2,7 +2,15 @@ locals {
   action_runner_distribution_object_key = "actions-runner-${var.runner_os}.${var.runner_os == "linux" ? "tar.gz" : "zip"}"
 }
 
+# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
+# tfsec:ignore:aws-s3-enable-versioning versioning Suspended for this bucket
 resource "aws_s3_bucket" "action_dist" {
+  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
+  # checkov:skip=CKV_AWS_19: False positive due to var.encryption
+  # checkov:skip=CKV_AWS_21: versioning Suspended for this bucket
+  # checkov:skip=CKV_AWS_144: TODO: cross replication
+  # checkov:skip=CKV_AWS_145: False positive due to var.encryption
+
   bucket        = var.distribution_bucket_name
   force_destroy = true
   tags          = var.tags
@@ -33,10 +41,12 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {
   }
 }
 
+# tfsec:ignore:aws-s3-encryption-customer-key Risk is low for AES-256 encryption
 resource "aws_s3_bucket_server_side_encryption_configuration" "action_dist" {
   bucket = aws_s3_bucket.action_dist.id
   count  = try(var.server_side_encryption_configuration, null) != null ? 1 : 0
 
+# tfsec:ignore:aws-s3-enable-bucket-encryption FalsePos
   dynamic "rule" {
     for_each = [lookup(var.server_side_encryption_configuration, "rule", {})]