Ignore comments for tfsec ID - aws-ec2-no-public-egress-sgr

No actual changes are being made; this is an 'ignore commentn'

An egress security group rule allows traffic to /0. Security group rule allows egress to multiple public internet addresses.

ID         - aws-ec2-no-public-egress-sgr
Severity   - Critical
Impact     - Your port is egressing data to the internet
Resolution - Set a more restrictive cidr range

More Information:

tfsec       - https://aquasecurity.github.io/tfsec/v1.27.2/checks/aws/ec2/no-public-egress-sgr/
tf registry - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#egress
AWS         - https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html

# tfsec:ignore:aws-ec2-no-public-egress-sgr

Additional Checkov Findings
# checkov:skip=CKV_AWS_79:see tfsec explanation
# tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668

No actual changes are being made; I verified the console settings and hard coded the syntax in TF.

For IMDS, enabling the 'enforce' feature on most of the EC2 fleet will break Salt state that has a file source of s3://*. We'd definitely prefer to have imdsv2 if we could, but it's not safe to turn on in our environment at this time. Most changes concerning syntax placement for tfsec / checkov ignores.

aws_instance should activate session tokens for Instance Metadata Service. Instance does not require IMDS access to require a token

ID             - aws-ec2-enforce-http-token-imds
Severity   - High
Impact     - Instance metadata service can be interacted with freely
Resolution - Enable HTTP token requirement for IMDS

tfsec      - https://aquasecurity.github.io/tfsec/v1.26.3/checks/aws/ec2/enforce-http-token-imds/
checkov    - https://docs.bridgecrew.io/docs/bc_aws_general_31
AWS        - https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

tagged: v5.3.7

thirdparty/terraform-aws-github-runner/modules/runners/main.tf

@@ -53,7 +53,9 @@ data "aws_ami" "runner" {
   owners = var.ami_owners
 }
 
+# tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
 resource "aws_launch_template" "runner" {
+  # checkov:skip=CKV_AWS_79: see tfsec explanation
   name = "${var.prefix}-action-runner"
 
   dynamic "block_device_mappings" {
@@ -141,6 +143,10 @@ resource "aws_launch_template" "runner" {
   update_default_version = true
 }
 
+#----------------------------------------------------------------------------
+# GH Actions Security Group
+#----------------------------------------------------------------------------
+# tfsec:ignore:aws-ec2-no-public-egress-sgr GH runner requires /0 egress access
 resource "aws_security_group" "runner_sg" {
   count       = var.enable_managed_runner_security_group ? 1 : 0
   name_prefix = "${var.prefix}-github-actions-runner-sg"
@@ -148,6 +154,9 @@ resource "aws_security_group" "runner_sg" {
 
   vpc_id = var.vpc_id
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
   dynamic "egress" {
     for_each = var.egress_rules
     iterator = each