DEMO (do not merge): intentionally insecure terraform example#20
DEMO (do not merge): intentionally insecure terraform example#20karlllewis wants to merge 1 commit into
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| from_port = 22 | ||
| to_port = 22 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] |
Check failure
Code scanning / Trivy
Security groups should not allow unrestricted ingress to SSH or RDP from any IP address. High
| from_port = 3389 | ||
| to_port = 3389 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] |
Check failure
Code scanning / Trivy
Security groups should not allow unrestricted ingress to SSH or RDP from any IP address. High
| from_port = 0 | ||
| to_port = 65535 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] |
Check failure
Code scanning / Trivy
Security groups should not allow unrestricted ingress to SSH or RDP from any IP address. High
| from_port = 0 | ||
| to_port = 0 | ||
| protocol = "-1" | ||
| cidr_blocks = ["0.0.0.0/0"] |
Check failure
Code scanning / Trivy
A security group rule should not allow unrestricted egress to any IP address. Critical
| to_port = 0 | ||
| protocol = "-1" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
| ipv6_cidr_blocks = ["::/0"] |
Check failure
Code scanning / Trivy
A security group rule should not allow unrestricted egress to any IP address. Critical
| # No server-side encryption block (BAD) | ||
| # No versioning (BAD) | ||
| # Public ACL (BAD) | ||
| acl = "public-read" |
Check failure
Code scanning / Trivy
S3 Buckets not publicly accessible through ACL. High
|
|
||
| resource "aws_s3_bucket_public_access_block" "insecure_bucket_pab" { | ||
| bucket = aws_s3_bucket.insecure_bucket.id | ||
| block_public_acls = false # BAD |
Check failure
Code scanning / Trivy
S3 Access block should block public ACL High
| resource "aws_s3_bucket_public_access_block" "insecure_bucket_pab" { | ||
| bucket = aws_s3_bucket.insecure_bucket.id | ||
| block_public_acls = false # BAD | ||
| block_public_policy = false # BAD |
Check failure
Code scanning / Trivy
S3 Access block should block public policy High
| bucket = aws_s3_bucket.insecure_bucket.id | ||
| block_public_acls = false # BAD | ||
| block_public_policy = false # BAD | ||
| ignore_public_acls = false # BAD |
Check failure
Code scanning / Trivy
S3 Access Block should Ignore Public ACL High
| block_public_acls = false # BAD | ||
| block_public_policy = false # BAD | ||
| ignore_public_acls = false # BAD | ||
| restrict_public_buckets = false # BAD |
Check failure
Code scanning / Trivy
S3 Access block should restrict public bucket to limit access High
karlllewis
changed the title
karlllewis
changed the title
2 participants
🚫 Purposefully Failing PR – Terraform Demo
Goal: Demonstrate CNCISO’s
secure-by-default-starterguardrails in action (for terraform).This PR intentionally includes insecure files that violate our security posture.
❌ What’s in this PR
examples/terraform/main.bad.tf→ bad s3 policy, wide open security groups, unfiltered egress🔍 Expected Behavior
sbom-spdxartifact).This PR is a teaching tool and will remain unmerged to preserve the failing example