Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

investigate CKV_AWS_149 chekov warning suppression - in the affected workflows #4999

Closed
2 tasks done
ewastempel opened this issue Sep 13, 2023 · 1 comment
Closed
2 tasks done

investigate CKV_AWS_149 chekov warning suppression - in the affected workflows #4999

ewastempel opened this issue Sep 13, 2023 · 1 comment
Assignees
@dms1981
Labels
Monitoring/Alerting/logging security

Comments

@ewastempel
Copy link
Contributor

ewastempel commented Sep 13, 2023
edited by dms1981
Loading

User Story

Revisit fixing CKV_AWS_149 chekov warning that is currently suppressed.
See the workflows that were affected:
terraform-static-analysis.yml : https://github.com/ministryofjustice/modernisation-platform/actions/runs/5923065434/job/16058039084

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:19-22
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		19 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		20 |   name                    = "tactical-products-db-secrets"
		21 |   recovery_window_in_days = 0
		22 | }

code-scanning.yml: https://github.com/ministryofjustice/modernisation-platform/actions/runs/5921047939/job/16053081949
Additionally add ticket to update all pipelines to use slack notifications when a pipeline fails.

if sensible then fix these.

Is it possible to use a custom KMS keys in this instance?

Value

Improving security posture.

Definition of done

  • another team member has reviewed
  • tests are green

Reference

How to write good user stories
@ewastempel ewastempel mentioned this issue Sep 13, 2023
Closed
31 tasks
@SimonPPledger SimonPPledger changed the title Fixing CKV_AWS_149 chekov warning rather than suppressing. investigate CKV_AWS_149 chekov warning suppression - in the affected workflows Sep 14, 2023
This was referenced Jan 30, 2024
Closed
Merged
Merged
@dms1981
Copy link
Contributor

dms1981 commented Jan 31, 2024

Applied KMS key to relevant resources, removed Checkov and Tfsec exclusions.

@dms1981 dms1981 closed this as completed Jan 31, 2024
@dms1981 dms1981 self-assigned this Jan 31, 2024
@github-project-automation github-project-automation bot moved this from To Do to Done in Modernisation Platform Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dms1981 dms1981

Labels
Monitoring/Alerting/logging security
Projects
Modernisation Platform
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dms1981 @SimonPPledger @ewastempel