diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md index b17b69fe..d77fd90c 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md @@ -1,5 +1,5 @@ -Enable encryption at rest +Use Customer managed key ```yaml--- Resources: @@ -15,4 +15,6 @@ Resources: ``` +#### Remediation Links + - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md b/avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md index befbea4f..42edae5a 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md @@ -1,5 +1,5 @@ -Enable encryption at rest +Use Customer managed key ```hcl resource "aws_cloudtrail" "good_example" { diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md b/avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md index 5f8bc940..88770c40 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md @@ -1,8 +1,8 @@ -Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach. +Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems. ### Impact -Data can be freely read if compromised +Using AWS managed keys does not allow for fine grained control {{ remediationActions }} @@ -10,4 +10,6 @@ Data can be freely read if compromised ### Links - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html +- https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt + diff --git a/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md b/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md index c1ac8a8e..a2d54374 100644 --- a/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md +++ b/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md @@ -5,7 +5,7 @@ Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced resource "aws_iam_group" "support" { name = "support" } -resource aws_iam_group_policy mfa { +resource "aws_iam_group_policy" "mfa" { group = aws_iam_group.support.name policy = < update' should always be followed by ' github.com/aquasecurity/trivy-checks v0.10.2-0.20240417031955-932169bbd75f diff --git a/go.sum b/go.sum index a21b13a2..6c130ef0 100644 --- a/go.sum +++ b/go.sum @@ -220,8 +220,8 @@ github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 h1:rcEG5HI github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU= github.com/aquasecurity/trivy v0.50.2-0.20240412195250-183eaafb4e42 h1:fc6b0EHEC5KYX9BtkzcG+8gmL/aQNLhbEUC33SpaAEc= github.com/aquasecurity/trivy v0.50.2-0.20240412195250-183eaafb4e42/go.mod h1:mIwSCXr6l6qTfBUGUYU5MNGZFy/OCeHbQtCqW+gWDU8= -github.com/aquasecurity/trivy-policies v0.10.0 h1:QONOsIFi6+WyB+7NGMBQeCgMFcRg6RV9dTBBpeOFDxU= -github.com/aquasecurity/trivy-policies v0.10.0/go.mod h1:7WU0GTUqtQxqQ+FV3JAy7lskQQZU6lp7Mz1i8GEapFw= +github.com/aquasecurity/trivy-checks v0.10.2-0.20240417031955-932169bbd75f h1:k+sc/w1byCHI6ru10Wrwi6PAFyrqsq2fG3iiC94sHIA= +github.com/aquasecurity/trivy-checks v0.10.2-0.20240417031955-932169bbd75f/go.mod h1:oTqV6F9QYlOp8zyF2Hv3X0K05Kqv5TxzSAYGJLiYQAc= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=