-
Notifications
You must be signed in to change notification settings - Fork 0
DEMO (do not merge): intentionally insecure terraform example #20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| ############################################# | ||
| # INTENTIONALLY INSECURE – TRAINING EXAMPLE | ||
| # DO NOT COPY TO PRODUCTION | ||
| # | ||
| # Demonstrates common anti-patterns that scanners flag: | ||
| # - Public ingress on SSH/RDP/All TCP from 0.0.0.0/0 | ||
| # - Public egress (0.0.0.0/0 and ::/0) | ||
| # - Public S3 bucket (ACL), public access block disabled | ||
| # - No encryption / versioning on S3 | ||
| # - Missing tags/ownership metadata | ||
| ############################################# | ||
|
|
||
| terraform { | ||
| required_version = "~> 1.6" | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "~> 5.0" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| provider "aws" { | ||
| region = "ap-southeast-2" | ||
| } | ||
|
|
||
| # Wide-open Security Group (BAD) | ||
| resource "aws_security_group" "insecure_sg" { | ||
| name = "insecure-sg" | ||
| description = "Open SG for demo (INSECURE)" | ||
| vpc_id = "vpc-12345678" # demo placeholder | ||
|
|
||
| # SSH from anywhere (BAD) | ||
| ingress { | ||
| description = "SSH from Internet (BAD)" | ||
| from_port = 22 | ||
| to_port = 22 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
| } | ||
|
|
||
| # RDP from anywhere (BAD) | ||
| ingress { | ||
| description = "RDP from Internet (BAD)" | ||
| from_port = 3389 | ||
| to_port = 3389 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
Check failureCode scanning / Trivy Security groups should not allow unrestricted ingress to SSH or RDP from any IP address. High
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability AVD-AWS-0107 Severity: HIGH Message: Security group rule allows unrestricted ingress from any IP address. Link: AVD-AWS-0107 |
||
| } | ||
|
|
||
| # Any TCP from anywhere (BAD) | ||
| ingress { | ||
| description = "Any TCP (BAD)" | ||
| from_port = 0 | ||
| to_port = 65535 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
Check failureCode scanning / Trivy Security groups should not allow unrestricted ingress to SSH or RDP from any IP address. High
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability AVD-AWS-0107 Severity: HIGH Message: Security group rule allows unrestricted ingress from any IP address. Link: AVD-AWS-0107 |
||
| } | ||
|
|
||
| # Egress anywhere (BAD) | ||
| egress { | ||
| description = "All egress (BAD)" | ||
| from_port = 0 | ||
| to_port = 0 | ||
| protocol = "-1" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
Check failureCode scanning / Trivy A security group rule should not allow unrestricted egress to any IP address. Critical
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability aws-vpc-no-public-egress-sgr Severity: CRITICAL Message: Security group rule allows unrestricted egress to any IP address. Link: aws-vpc-no-public-egress-sgr |
||
| ipv6_cidr_blocks = ["::/0"] | ||
Check failureCode scanning / Trivy A security group rule should not allow unrestricted egress to any IP address. Critical
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability aws-vpc-no-public-egress-sgr Severity: CRITICAL Message: Security group rule allows unrestricted egress to any IP address. Link: aws-vpc-no-public-egress-sgr |
||
| } | ||
|
|
||
| # No tags on purpose (BAD) | ||
| } | ||
|
|
||
| # Public S3 bucket with public access block disabled (BAD) | ||
| resource "aws_s3_bucket" "insecure_bucket" { | ||
| bucket = "cnciso-insecure-demo-${random_id.suffix.hex}" | ||
| force_destroy = true # allows accidental data loss (BAD) | ||
| # No server-side encryption block (BAD) | ||
| # No versioning (BAD) | ||
| # Public ACL (BAD) | ||
| acl = "public-read" | ||
Check failureCode scanning / Trivy S3 Buckets not publicly accessible through ACL. High
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability AVD-AWS-0092 Severity: HIGH Message: Bucket has a public ACL: "public-read" Link: AVD-AWS-0092 |
||
| } | ||
|
Comment on lines
+74
to
+81
Check failureCode scanning / Trivy Unencrypted S3 bucket. High
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability AVD-AWS-0088 Severity: HIGH Message: Bucket does not have encryption enabled Link: AVD-AWS-0088
Comment on lines
+74
to
+81
Check noticeCode scanning / Trivy S3 Bucket Logging Low
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability s3-bucket-logging Severity: LOW Message: Bucket has logging disabled Link: s3-bucket-logging
Comment on lines
+74
to
+81
Check warningCode scanning / Trivy S3 Data should be versioned Medium
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability AVD-AWS-0090 Severity: MEDIUM Message: Bucket does not have versioning enabled Link: AVD-AWS-0090
Comment on lines
+74
to
+81
Check failureCode scanning / Trivy S3 encryption should use Customer Managed Keys High
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability AVD-AWS-0132 Severity: HIGH Message: Bucket does not encrypt data with a customer managed key. Link: AVD-AWS-0132 |
||
|
|
||
| resource "aws_s3_bucket_public_access_block" "insecure_bucket_pab" { | ||
| bucket = aws_s3_bucket.insecure_bucket.id | ||
| block_public_acls = false # BAD | ||
Check failureCode scanning / Trivy S3 Access block should block public ACL High
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability AVD-AWS-0086 Severity: HIGH Message: Public access block does not block public ACLs Link: AVD-AWS-0086 |
||
| block_public_policy = false # BAD | ||
Check failureCode scanning / Trivy S3 Access block should block public policy High
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability AVD-AWS-0087 Severity: HIGH Message: Public access block does not block public policies Link: AVD-AWS-0087 |
||
| ignore_public_acls = false # BAD | ||
Check failureCode scanning / Trivy S3 Access Block should Ignore Public ACL High
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability AVD-AWS-0091 Severity: HIGH Message: Public access block does not ignore public ACLs Link: AVD-AWS-0091 |
||
| restrict_public_buckets = false # BAD | ||
Check failureCode scanning / Trivy S3 Access block should restrict public bucket to limit access High
Artifact: examples/terraform/main.bad.tf
Type: terraform Vulnerability AVD-AWS-0093 Severity: HIGH Message: Public access block does not restrict public buckets Link: AVD-AWS-0093 |
||
| } | ||
|
|
||
| # Random suffix so plans don't collide (demo only) | ||
| resource "random_id" "suffix" { | ||
| byte_length = 2 | ||
| } | ||
Check failure
Code scanning / Trivy
Security groups should not allow unrestricted ingress to SSH or RDP from any IP address. High