Fix or annotate/ignore trivy issues above low

finos · Dec 6, 2023 · 679a407 · 679a407
1 parent 7e3520b
commit 679a407
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 1 deletion.
diff --git a/deployment/dev_environment_cloud9/cfn/.trivyignore b/deployment/dev_environment_cloud9/cfn/.trivyignore
@@ -0,0 +1,5 @@
+#Bucket only contains Cloud9 deployment logs and doesnt require encryption
+AVD-AWS-0132
+AVD-AWS-0088
+AVD-AWS-0132
+AVD-AWS-0090
diff --git a/deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml b/deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml
@@ -277,6 +277,54 @@ Resources:
     Type: AWS::S3::Bucket
     DeletionPolicy: Delete
 
+  C9OutputBucketPolicy:
+    Type: 'AWS::S3::BucketPolicy'
+    Properties:
+      Bucket: !Ref C9OutputBucket
+      PolicyDocument:
+        Statement:
+          - Action:
+              - 's3:GetObject'
+              - 's3:PutObject'
+            Condition:
+              Bool:
+                'aws:SecureTransport': false
+            Effect: Deny
+            Principal: '*'
+            Resource: !Sub 'arn:${AWS::Partition}:s3:::${C9OutputBucket}/*'
+            Sid: DenyUnencryptedConnections
+          - Action:
+              - 's3:PutBucketAcl'
+              - 's3:PutObject'
+              - 's3:PutObjectAcl'
+            Condition:
+              StringEquals:
+                's3:x-amz-acl':
+                  - authenticated-read
+                  - public-read
+                  - public-read-write
+            Effect: Deny
+            Principal: '*'
+            Resource:
+              - !Sub 'arn:${AWS::Partition}:s3:::${C9OutputBucket}'
+              - !Sub 'arn:${AWS::Partition}:s3:::${C9OutputBucket}/*'
+            Sid: DenyPublicReadAcl
+          - Action:
+              - 's3:PutBucketAcl'
+              - 's3:PutObject'
+              - 's3:PutObjectAcl'
+            Condition:
+              StringLike:
+                's3:x-amz-grant-read':
+                  - !Sub '*http://acs.${AWS::URLSuffix}/groups/global/AllUsers*'
+                  - !Sub '*http://acs.${AWS::URLSuffix}/groups/global/AuthenticatedUsers*'
+            Effect: Deny
+            Principal: '*'
+            Resource:
+              - !Sub 'arn:${AWS::Partition}:s3:::${C9OutputBucket}'
+              - !Sub 'arn:${AWS::Partition}:s3:::${C9OutputBucket}/*'
+            Sid: DenyGrantingPublicRead
+
   C9SSMDocument:
     Type: AWS::SSM::Document
     Properties:

diff --git a/deployment/grid/terraform/compute_plane/eks.tf b/deployment/grid/terraform/compute_plane/eks.tf
@@ -60,7 +60,9 @@ module "eks_cloudwatch_kms_key" {
   aliases = ["cloudwatch/eks/${var.cluster_name}"]
 }
 
-
+#trivy:ignore:AVD-AWS-0040 Allow Public EKS API Access
+#trivy:ignore:AVD-AWS-0041 Allow API Access from 0.0.0.0/0
+#trivy:ignore:AVD-AWS-0104 Allow ALL Egress CIDR ranges
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "~> 19.0"

diff --git a/deployment/grid/terraform/control_plane/aws_iam.tf b/deployment/grid/terraform/control_plane/aws_iam.tf
@@ -4,6 +4,7 @@
 
 
 # HTC Agent permissions
+#trivy:ignore:AVD-AWS-0057 Allow sensitive permissions on individual resources
 resource "aws_iam_policy" "htc_agent_permissions" {
   name        = "htc_agent_permissions_policy_${local.suffix}"
   path        = "/"
@@ -128,6 +129,7 @@ EOF
 
 
 # Lambda Data Policy Permssions
+#trivy:ignore:AVD-AWS-0057 Allow sensitive permissions on individual resources
 resource "aws_iam_policy" "lambda_data_policy" {
   name        = "lambda_data_policy_${local.suffix}"
   path        = "/"