Addressing issues reported by checkov prior to integration

[michaelsaki]

💡 Summary

This is related to cisagov/skeleton-generic#172. After having run checkov scans locally against cool-assessment-terraform the scan shows: passed checks: 873, Failed checks: 176, Skipped checks: 0.

These checks need to be addressed in a systematic way as we are planning to integrate checkov into the pre-commit linting jobs. Since this ticket is made from just cool-assessment-terraform there might be other checks that fail on other Terraform repositories in https://github.com/cisagov, but this will be a good start.

NOTE: Each failed check might not necessarily need to be fixed. There could be some cases of false flags in which we don't want to adhere to the policies that checkov enforces. In these cases we can setup configurations to bypass these checks but they will need to be approved before bypassing.

Here is the file from a full scan of cool-assessment-terraform: checkov_results.txt

Each check will have a guide linked to it for applying a fix. The checks that failed for cool-assessment-terraform are as follows:

• CKV_AWS_1: Ensure IAM policies that allow full "-" administrative privileges are not created.
• CKV_AWS_8: Ensure all data stored in the EBS is securely encrypted.
• CKV_AWS_23: Ensure every security groups rule has a description.
• CKV_AWS_49: Ensure no IAM policies documents allow "*" as a statement's actions.
• CKV_AWS_88: EC2 instance should not have a public IP.
• CKV_AWS_111: Ensure IAM policies do not allow write access without constraints.
• CKV_AWS_126: Ensure that detailed monitoring is enabled for EC2 instances.
• CKV_AWS_135: Ensure that EC2 is EBS optimized.
• CKV_AWS_184: Ensure resource is encrypted by KMS using a customer managed Key (CMK).
• CKV_AWS_231: Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389.
• CKV_AWS_277: Ensure no security groups allow ingress from 0.0.0.0:0 to port -1.
• CKV_AWS_352: Ensure NACL ingress does not allow all Ports.
• CKV_AWS_356: Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions.
• CKV2_AWS_11: Ensure VPC flow logging is enabled in all VPCs.
• CKV2_AWS_12: Ensure the default security group of every VPC restricts all traffic.
• CKV2_AWS_19: Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances.
• CKV2_AWS_23: Route53 A Record has Attached Resource.
• CKV2_AWS_38: Ensure DNSSEC signing is enabled for Amazon Route 53 public hosted zones.
• CKV2_AWS_39: Ensure DNS query logging is enabled for Amazon Route 53 hosted zones.
• CKV_TF_1: Ensure Terraform module sources use a commit hash.
• CKV2_GHA_1: Ensure top-level permissions are not set to write-all.