diff --git a/test/testdata/mondoo-terraform-aws-security.mql.yaml b/test/testdata/mondoo-terraform-aws-security.mql.yaml index 860b399e..88ff030a 100644 --- a/test/testdata/mondoo-terraform-aws-security.mql.yaml +++ b/test/testdata/mondoo-terraform-aws-security.mql.yaml @@ -36,12 +36,6 @@ policies: If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions. groups: - - title: AWS General - filters: | - asset.platform == "terraform" || asset.platform == "terraform-hcl" - terraform.providers.any(nameLabel == "aws") - checks: - - uid: terraform-aws-security-no-static-credentials-in-providers - title: Amazon API Gateway filters: | asset.platform == "terraform" || asset.platform == "terraform-hcl" @@ -84,55 +78,6 @@ policies: - uid: terraform-aws-security-eks-encrypt-secrets - uid: terraform-aws-security-eks-no-public-cluster-access-to-cidr queries: - - uid: terraform-aws-security-no-static-credentials-in-providers - title: Providers should not contain hard-coded credentials - mql: | - terraform.providers.where( nameLabel == "aws" ) { - arguments["access_key"] == null || arguments["access_key"].find(/(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}/).all("AKIAIOSFODNN7EXAMPLE") - arguments["secret_key"] == null || arguments["secret_key"].find(/([A-Za-z0-9\\\/+\\]{40})/).all( "wJalrXUtnFEMI/A1AAAAA/bPxRfiCYAAAAAAAKEY") - } - docs: - desc: | - Hard-coded credentials are not recommended in any Terraform configuration, and risks secret leakage should this file ever be committed to a public version control system. - audit: | - Check for the existence of hard-coded credentials in the AWS provider - - ```hcl - provider "aws" { - region = "us-west-2" - access_key = "my-access-key" - secret_key = "my-secret-key" - } - ``` - remediation: | - The following are more secure alternatives for configuring the AWS provider: - - __Environment Variables__ - You can provide your credentials via the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables representing your AWS Access Key and AWS Secret Key, respectively. Note that setting your AWS credentials using either these (or legacy) environment variables will override the use of `AWS_SHARED_CREDENTIALS_FILE` and `AWS_PROFILE`. The `AWS_DEFAULT_REGION` and `AWS_SESSION_TOKEN` environment variables are also used, if applicable: - - ```bash - $ export AWS_ACCESS_KEY_ID="an_accesskey" - $ export AWS_SECRET_ACCESS_KEY="a_secretkey" - $ export AWS_DEFAULT_REGION="us-west-2" - $ terraform plan - ``` - - ```hcl - provider "aws" {} - ``` - - __Assumed Role__ - If provided with a role ARN, Terraform will attempt to assume this role using the supplied credentials. - - ```hcl - provider "aws" { - assume_role { - role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME" - session_name = "SESSION_NAME" - external_id = "EXTERNAL_ID" - } - } - ``` - uid: terraform-aws-security-api-gw-cache-enabled-and-encrypted title: API Gateway must have cache enabled mql: | diff --git a/test/testdata/terraform/aws-3.xx/fail/provider.tf b/test/testdata/terraform/aws-3.xx/fail/provider.tf index d9576ce6..67391ec5 100644 --- a/test/testdata/terraform/aws-3.xx/fail/provider.tf +++ b/test/testdata/terraform/aws-3.xx/fail/provider.tf @@ -9,7 +9,4 @@ terraform { provider "aws" { # Configuration options - region = "us-west-2" - access_key = "AKIAIOSFODNN7AAAAAAA" - secret_key = "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" } \ No newline at end of file diff --git a/test/testdata/terraform/aws-4.xx/fail/provider.tf b/test/testdata/terraform/aws-4.xx/fail/provider.tf index 23b51462..8ba741f0 100644 --- a/test/testdata/terraform/aws-4.xx/fail/provider.tf +++ b/test/testdata/terraform/aws-4.xx/fail/provider.tf @@ -9,7 +9,4 @@ terraform { provider "aws" { # Configuration options - region = "us-west-2" - access_key = "AKIAIOSFODNN7AAAAAAA" - secret_key = "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" } \ No newline at end of file