AWS Cloudfront Use Secure Tls Policy is not being detected #6205

felipeng · 2024-02-26T15:48:06Z

felipeng
Feb 26, 2024

IDs

AVD-AWS-0013

Description

Using the same code tfsec detect the issue with AWS CloufFront Use Secure Tls Policy, but not using trivy

Reproduction Steps

Using this code:

provider "aws" {
  region = "us-west-2"
}

resource "aws_cloudfront_distribution" "s3_distribution" {
  enabled      = true
  http_version = "http2and3"
  price_class  = "PriceClass_100"

  origin {
    domain_name              = "mybucket.s3.us-west-2.amazonaws.com"
    origin_access_control_id = "myid"
    origin_id                = "mybucket"
  }

  restrictions {
    geo_restriction {
      restriction_type = "whitelist"
      locations        = ["US"]
    }
  }

  default_cache_behavior {
    target_origin_id       = "mybucket"
    viewer_protocol_policy = "redirect-to-https"
    allowed_methods        = ["GET", "HEAD"]
    cached_methods         = ["GET", "HEAD"]
  }
  viewer_certificate {
    cloudfront_default_certificate = true
  }

  logging_config {
   include_cookies = false
   bucket          = "mylogs.s3.amazonaws.com"
   prefix          = "myprefix"
  }
  web_acl_id = "waf_id"
}

Running tfsec:

tfsec .

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 HIGH Distribution allows unencrypted communications. 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  cloudfront.tf:29-31
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    5    resource "aws_cloudfront_distribution" "s3_distribution" {
    .  
   29  ┌   viewer_certificate {
   30  │     cloudfront_default_certificate = true
   31  └   }
   ..  
   39    }
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudfront-use-secure-tls-policy
      Impact Outdated SSL policies increase exposure to known vulnerabilities
  Resolution Use the most modern TLS/SSL policies available

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.5/checks/aws/cloudfront/use-secure-tls-policy/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#minimum_protocol_version

Running trivy:

trivy config .
2024-02-26T07:44:47.139-0800    INFO    Misconfiguration scanning is enabled
2024-02-26T07:44:47.608-0800    INFO    Detected config files: 2



### Target

AWS

### Scanner

Misconfiguration

### Target OS

_No response_

### Debug Output

```bash
trivy config . --debug
2024-02-26T07:45:14.119-0800    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-26T07:45:14.144-0800    DEBUG   cache dir:  /Users/felipe.gonzalez/Library/Caches/trivy
2024-02-26T07:45:14.144-0800    INFO    Misconfiguration scanning is enabled
2024-02-26T07:45:14.153-0800    DEBUG   Policies successfully loaded from disk
2024-02-26T07:45:14.153-0800    DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-26T07:45:14.183-0800    DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-02-26T07:45:14.184-0800    DEBUG   Walk the file tree rooted at '.' in series
2024-02-26T07:45:14.184-0800    DEBUG   Scanning Terraform files for misconfigurations...
2024-02-26T07:45:14.184-0800    DEBUG   [misconf] 45:14.184325000 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13938441158833807544 710821585 0x10d1891c0} <nil>} {{{0 0} {[] {} 0x140021f2eb0} map[cloudfront.tf:0x14002c26050] 0}}}) .}] at '.'...
2024-02-26T07:45:14.186-0800    DEBUG   [misconf] 45:14.186494000 terraform.scanner.rego           Overriding filesystem for policies!
2024-02-26T07:45:14.249-0800    DEBUG   [misconf] 45:14.249431000 terraform.scanner.rego           Loaded 190 policies from disk.
2024-02-26T07:45:14.249-0800    DEBUG   [misconf] 45:14.249698000 terraform.scanner.rego           Overriding filesystem for data!
2024-02-26T07:45:14.560-0800    DEBUG   [misconf] 45:14.560677000 terraform.scanner                Scanning root module '.'...
2024-02-26T07:45:14.560-0800    DEBUG   [misconf] 45:14.560733000 terraform.parser.<root>          Setting project/module root to '.'
2024-02-26T07:45:14.560-0800    DEBUG   [misconf] 45:14.560742000 terraform.parser.<root>          Parsing FS from '.'
2024-02-26T07:45:14.560-0800    DEBUG   [misconf] 45:14.560764000 terraform.parser.<root>          Parsing 'cloudfront.tf'...
2024-02-26T07:45:14.562-0800    DEBUG   [misconf] 45:14.562937000 terraform.parser.<root>          Added file cloudfront.tf.
2024-02-26T07:45:14.562-0800    DEBUG   [misconf] 45:14.562963000 terraform.parser.<root>          Evaluating module...
2024-02-26T07:45:14.563-0800    DEBUG   [misconf] 45:14.563284000 terraform.parser.<root>          Read 2 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-02-26T07:45:14.563-0800    DEBUG   [misconf] 45:14.563303000 terraform.parser.<root>          Added 0 variables from tfvars.
2024-02-26T07:45:14.563-0800    DEBUG   [misconf] 45:14.563312000 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-02-26T07:45:14.563-0800    DEBUG   [misconf] 45:14.563344000 terraform.parser.<root>          Working directory for module evaluation is '/Users/felipe.gonzalez/incharge/gitlab/incharging/sandbox/terraform-trivy-cloudfront'
2024-02-26T07:45:14.563-0800    DEBUG   [misconf] 45:14.563896000 terraform.parser.<root>.evaluator Filesystem key is '23fc8b9593b0be844d42dd9f60459263dc0240ab16e913e0781c889e5a0f9c1b'
2024-02-26T07:45:14.563-0800    DEBUG   [misconf] 45:14.563919000 terraform.parser.<root>.evaluator Starting module evaluation...
2024-02-26T07:45:14.564-0800    DEBUG   [misconf] 45:14.564669000 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-02-26T07:45:14.564-0800    DEBUG   [misconf] 45:14.564678000 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-02-26T07:45:14.564-0800    DEBUG   [misconf] 45:14.564683000 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-02-26T07:45:14.564-0800    DEBUG   [misconf] 45:14.564731000 terraform.parser.<root>.evaluator Module evaluation complete.
2024-02-26T07:45:14.564-0800    DEBUG   [misconf] 45:14.564743000 terraform.parser.<root>          Finished parsing module 'root'.
2024-02-26T07:45:14.564-0800    DEBUG   [misconf] 45:14.564750000 terraform.executor               Adapting modules...
2024-02-26T07:45:14.566-0800    DEBUG   [misconf] 45:14.566969000 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-02-26T07:45:14.566-0800    DEBUG   [misconf] 45:14.566987000 terraform.executor               Using max routines of 7
2024-02-26T07:45:14.566-0800    DEBUG   [misconf] 45:14.566996000 terraform.executor               Applying state modifier functions...
2024-02-26T07:45:14.567-0800    DEBUG   [misconf] 45:14.567053000 terraform.executor               Initialised 484 rule(s).
2024-02-26T07:45:14.567-0800    DEBUG   [misconf] 45:14.567059000 terraform.executor               Created pool with 7 worker(s) to apply rules.
2024-02-26T07:45:14.570-0800    DEBUG   [misconf] 45:14.569997000 terraform.scanner.rego           Scanning 1 inputs...
2024-02-26T07:45:14.574-0800    DEBUG   [misconf] 45:14.574933000 terraform.executor               Finished applying rules.
2024-02-26T07:45:14.574-0800    DEBUG   [misconf] 45:14.574956000 terraform.executor               Applying ignores...
2024-02-26T07:45:14.615-0800    DEBUG   OS is not detected.
2024-02-26T07:45:14.615-0800    INFO    Detected config files: 2
2024-02-26T07:45:14.615-0800    DEBUG   Scanned config file: .
2024-02-26T07:45:14.615-0800    DEBUG   Scanned config file: cloudfront.tf



### Version

```bash
trivy version
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-05-03 12:07:44.471037765 +0000 UTC
  NextUpdate: 2023-05-03 18:07:44.471037365 +0000 UTC
  DownloadedAt: 2023-05-03 14:39:37.564001 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-05-02 00:52:04.408192575 +0000 UTC
  NextUpdate: 2023-05-05 00:52:04.408192075 +0000 UTC
  DownloadedAt: 2023-05-02 15:41:25.133603 +0000 UTC
Policy Bundle:
  Digest: sha256:73a2a1a91c421860d22f08b990a0ca28fee4ca1e1b45e0bdea14357867e31eb6
  DownloadedAt: 2024-02-26 15:31:58.988847 +0000 UTC



### Checklist

- [X] Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
- [X] Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct

simar7 · 2024-02-26T22:29:00Z

simar7
Feb 26, 2024
Maintainer

For this check we need to check the value of viewer_protocol_policy. Trivy correctly checks that here: https://github.com/aquasecurity/trivy-policies/blob/main/checks/cloud/aws/cloudfront/enforce_https.go#L52

So Trivy is correct, tfsec is showing a false positive.

0 replies

felipeng · 2024-02-26T22:42:18Z

felipeng
Feb 26, 2024
Author

Thanks for checking. I am also working on the migration of another module and I noticed a similar situation for example:

module "aws-eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "~> 19.21.0"
  cluster_name = "mycluster"
  cluster_encryption_config = {
    "resources" : [
      "secrets"
    ]
  }
}

even with the cluster_encryption_config configuration I'm getting a false positive: AVD-AWS-0039 HIGH: Cluster does not have secret encryption enabled.

HIGH: Cluster does not have secret encryption enabled.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
EKS cluster resources should have the encryption_config block set with protection of the secrets resource.

See https://avd.aquasec.com/misconfig/avd-aws-0039
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/eks/aws/main.tf:25-91
   via eks.tf:1-10 (module.aws-eks)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  25 ┌ resource "aws_eks_cluster" "this" {
  26 │   count = local.create ? 1 : 0
  27 │ 
  28 │   name                      = var.cluster_name
  29 │   role_arn                  = local.cluster_role
  30 │   version                   = var.cluster_version
  31 │   enabled_cluster_log_types = var.cluster_enabled_log_types
  32 │ 
  33 └   vpc_config {
  ..

2 replies

simar7 Feb 26, 2024
Maintainer

cc @nikpivkin we check for the encryption_config as documented for the hashicorp aws module. But the terraform-aws-module modules defines it as cluster_encryption_config as seen here. What gives?

nikpivkin Feb 27, 2024
Maintainer

aws_eks_cluster resource uses a dynamic block, this PR should solve the problem.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AWS Cloudfront Use Secure Tls Policy is not being detected #6205

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 2 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

AWS Cloudfront Use Secure Tls Policy is not being detected #6205

felipeng Feb 26, 2024

IDs

Description

Reproduction Steps

Replies: 2 comments · 2 replies

simar7 Feb 26, 2024 Maintainer

felipeng Feb 26, 2024 Author

simar7 Feb 26, 2024 Maintainer

nikpivkin Feb 27, 2024 Maintainer

felipeng
Feb 26, 2024

Replies: 2 comments 2 replies

simar7
Feb 26, 2024
Maintainer

felipeng
Feb 26, 2024
Author

simar7 Feb 26, 2024
Maintainer

nikpivkin Feb 27, 2024
Maintainer