feat(terraform): 7 new policies #7056

TomerSegev241 · 2025-03-17T08:52:54Z

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

CKV2_AWS_76 aligns to "AWS ALB attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability" 974cbc1a-d26b-4465-bbdc-991edf2a334b
CKV2_AWS_77 aligns to "AWS API Gateway Rest API attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability" 8d65d3b7-75f2-4628-b07b-ab574041dbdf
CKV2_AWS_78 aligns to "AWS AppSync attached WAFv2 WebACL is not configured with AMR for Log4j Vulnerability" efecd50f-5a1f-4d6d-b862-8e760b9612e4
CKV_AWS_389 aligns to "AWS Auto Scaling group launch configuration has public IP address assignment enabled" 8336772f-d32c-4a8f-9c72-0ae7dcb637e9
CKV_AWS_390 aligns to "AWS EMR Block public access setting disabled" 0bcfdab2-31d8-4dc9-a91c-42c7a7242e01
CKV_AWS_391 aligns to "AWS Redshift cluster with commonly used master username and public access setting enabled" 4482eb7e-513a-4620-922f-16f495fbc4b0
CKV_AWS_392 aligns to "AWS S3 access point Block public access setting disabled" b1b718d8-e62e-497d-80f2-2baa66a4f8bd
CKV_AWS_388 aligns to "Ensure AWS Aurora PostgreSQL is not exposed to local file read vulnerability" c69f2020-a640-4df1-91fc-f1a14e480cb8

Checklist:

I have performed a self-review of my own code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have added tests that prove my feature, policy, or fix is effective and works
New and existing tests pass locally with my changes

tsmithv11

Nice work! Left some comments. Also:

Please add in the description the CKV ID to Prisma Cloud ID mapping
Make sure the tests pass
Add evaluated_keys or get_evaluated_keys

checkov/terraform/checks/resource/aws/AutoScalingGroupWithPublicAccess.py

checkov/terraform/checks/resource/aws/EMRPubliclyAccessible.py

checkov/terraform/checks/resource/aws/RedshiftClusterWithCommonUsernameAndPublicAccess.py

checkov/terraform/checks/resource/aws/S3BucketPubliclyReadableViaACL.py

checkov/terraform/checks/resource/aws/UnpatchedAuroraPostgresDB.py

checkov/terraform/checks/resource/aws/WAFv2VulnerableForLog4j.py

…icAccess.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

…nUsernameAndPublicAccess.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

…ViaACL.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

…B.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

…essible.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

…from-CSPM' into feat(terraform)-medium-policies-from-CSPM

…from-CSPM' into feat(terraform)-medium-policies-from-CSPM # Conflicts: # checkov/terraform/checks/resource/aws/EMRPubliclyAccessible.py # checkov/terraform/checks/resource/aws/RedshiftClusterWithCommonUsernameAndPublicAccess.py # checkov/terraform/checks/resource/aws/S3BucketPubliclyReadableViaACL.py # checkov/terraform/checks/resource/aws/WAFv2VulnerableForLog4j.py

checkov/terraform/checks/graph_checks/aws/ALBWebACLConfiguredWIthLog4jVulnerability.yaml

checkov/terraform/checks/resource/aws/AutoScalingGroupWithPublicAccess.py

checkov/terraform/checks/resource/aws/EMRPubliclyAccessible.py

checkov/terraform/checks/resource/aws/RedshiftClusterWithCommonUsernameAndPublicAccess.py

checkov/terraform/checks/resource/aws/S3AccessPointPubliclyAccessible.py

checkov/terraform/checks/resource/aws/UnpatchedAuroraPostgresDB.py

checkov/terraform/checks/graph_checks/aws/S3BucketPubliclyReadableViaACL.yaml

checkov/terraform/checks/graph_checks/aws/AppsyncWebACLConfiguredWIthLog4jVulnerability.yaml

checkov/terraform/checks/graph_checks/aws/APIGatewayWebACLConfiguredWIthLog4jVulnerability.yaml

checkov/terraform/checks/graph_checks/aws/ALBWebACLConfiguredWIthLog4jVulnerability.yaml

…ithub.com/bridgecrewio/checkov into feat(terraform)-medium-policies-from-CSPM

@taylor

* 7 new policies * Update checkov/terraform/checks/resource/aws/AutoScalingGroupWithPublicAccess.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/EMRPubliclyAccessible.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/RedshiftClusterWithCommonUsernameAndPublicAccess.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/S3BucketPubliclyReadableViaACL.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/UnpatchedAuroraPostgresDB.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/WAFv2VulnerableForLog4j.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/S3AccessPointPubliclyAccessible.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * changes due to @taylor comments * pre-commit warnings fixed * update due to Taylor comments * delete auto created init file * delete auto created init file * delete python test file * fix expected failures * Switch class * Fixes * fix flake8 * fix tests * Update IDs * fix id --------- Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> Co-authored-by: Taylor <tsmith.v11@gmail.com>

@taylor

* 7 new policies * Update checkov/terraform/checks/resource/aws/AutoScalingGroupWithPublicAccess.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/EMRPubliclyAccessible.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/RedshiftClusterWithCommonUsernameAndPublicAccess.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/S3BucketPubliclyReadableViaACL.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/UnpatchedAuroraPostgresDB.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/WAFv2VulnerableForLog4j.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * Update checkov/terraform/checks/resource/aws/S3AccessPointPubliclyAccessible.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * changes due to @taylor comments * pre-commit warnings fixed * update due to Taylor comments * delete auto created init file * delete auto created init file * delete python test file * fix expected failures * Switch class * Fixes * fix flake8 * fix tests * Update IDs * fix id --------- Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> Co-authored-by: Taylor <tsmith.v11@gmail.com>

TomerSegev241 and others added 2 commits March 17, 2025 10:52

7 new policies

4402b14

Merge branch 'main' into feat(terraform)-medium-policies-from-CSPM

5c0fda1

TomerSegev241 changed the title ~~7 new policies~~ feat(terraform): 7 new policies Mar 17, 2025

Merge branch 'main' into feat(terraform)-medium-policies-from-CSPM

1b4fe7d

tsmithv11 had a problem deploying to scan-security March 21, 2025 23:51 — with GitHub Actions Failure

tsmithv11 suggested changes Mar 22, 2025

View reviewed changes

Update checkov/terraform/checks/resource/aws/AutoScalingGroupWithPubl…

be6fb41

…icAccess.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

TomerSegev241 had a problem deploying to scan-security March 23, 2025 08:17 — with GitHub Actions Failure

Update checkov/terraform/checks/resource/aws/EMRPubliclyAccessible.py

2303bb7

Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

TomerSegev241 had a problem deploying to scan-security March 23, 2025 08:17 — with GitHub Actions Failure

Update checkov/terraform/checks/resource/aws/RedshiftClusterWithCommo…

ff53111

…nUsernameAndPublicAccess.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

TomerSegev241 had a problem deploying to scan-security March 23, 2025 08:17 — with GitHub Actions Failure

Update checkov/terraform/checks/resource/aws/S3BucketPubliclyReadable…

b0973cd

…ViaACL.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

TomerSegev241 had a problem deploying to scan-security March 23, 2025 08:18 — with GitHub Actions Failure

TomerSegev241 and others added 2 commits March 23, 2025 10:18

Update checkov/terraform/checks/resource/aws/UnpatchedAuroraPostgresD…

0f13976

…B.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

Update checkov/terraform/checks/resource/aws/WAFv2VulnerableForLog4j.py

18d55df

Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

TomerSegev241 had a problem deploying to scan-security March 23, 2025 08:18 — with GitHub Actions Failure

Update checkov/terraform/checks/resource/aws/S3AccessPointPubliclyAcc…

22e7019

…essible.py Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com>

TomerSegev241 had a problem deploying to scan-security March 23, 2025 08:19 — with GitHub Actions Failure

TomerSegev241 added 2 commits March 23, 2025 14:17

changes due to @taylor comments

0ece751

Merge remote-tracking branch 'origin/feat(terraform)-medium-policies-…

f814203

…from-CSPM' into feat(terraform)-medium-policies-from-CSPM

TomerSegev241 had a problem deploying to scan-security March 23, 2025 12:18 — with GitHub Actions Failure

pre-commit warnings fixed

3fe07ce

TomerSegev241 had a problem deploying to scan-security March 23, 2025 12:25 — with GitHub Actions Failure

TomerSegev241 added 2 commits April 30, 2025 14:51

update due to Taylor comments

756672e

TomerSegev241 had a problem deploying to scan-security April 30, 2025 12:23 — with GitHub Actions Failure

Merge branch 'main' into feat(terraform)-medium-policies-from-CSPM

23f40a1

TomerSegev241 had a problem deploying to scan-security April 30, 2025 12:25 — with GitHub Actions Failure

delete auto created init file

27ea5bb

Merge branch 'main' into feat(terraform)-medium-policies-from-CSPM

f902168

TomerSegev241 had a problem deploying to scan-security May 11, 2025 08:12 — with GitHub Actions Failure

tsmithv11 reviewed May 13, 2025

View reviewed changes

Switch class

9aec899

tsmithv11 had a problem deploying to scan-security May 15, 2025 07:48 — with GitHub Actions Failure

Fixes

d86544c

tsmithv11 had a problem deploying to scan-security May 16, 2025 20:24 — with GitHub Actions Failure

fix flake8

c8cf234

tsmithv11 had a problem deploying to scan-security May 16, 2025 20:34 — with GitHub Actions Failure

Merge branch 'main' into feat(terraform)-medium-policies-from-CSPM

ab78d74

tsmithv11 had a problem deploying to scan-security May 16, 2025 20:34 — with GitHub Actions Failure

fix tests

966ae94

tsmithv11 had a problem deploying to scan-security May 16, 2025 20:45 — with GitHub Actions Failure

tsmithv11 approved these changes May 16, 2025

View reviewed changes

TomerSegev241 requested a review from tsmithv11 May 18, 2025 10:14

tsmithv11 approved these changes May 18, 2025

View reviewed changes

bo156 reviewed May 19, 2025

View reviewed changes

checkov/terraform/checks/graph_checks/aws/ALBWebACLConfiguredWIthLog4jVulnerability.yaml Outdated Show resolved Hide resolved

Update IDs

880837d

tsmithv11 had a problem deploying to scan-security May 19, 2025 09:29 — with GitHub Actions Failure

Merge branch 'main' into feat(terraform)-medium-policies-from-CSPM

e4be60d

tsmithv11 had a problem deploying to scan-security May 19, 2025 09:29 — with GitHub Actions Failure

tsmithv11 added 2 commits May 19, 2025 02:37

fix id

dda0e29

Merge branch 'feat(terraform)-medium-policies-from-CSPM' of https://g…

438fa6f

…ithub.com/bridgecrewio/checkov into feat(terraform)-medium-policies-from-CSPM

tsmithv11 had a problem deploying to scan-security May 19, 2025 09:37 — with GitHub Actions Failure

bo156 approved these changes May 19, 2025

View reviewed changes

tsmithv11 merged commit 88c08b9 into main May 19, 2025
43 of 44 checks passed

tsmithv11 deleted the feat(terraform)-medium-policies-from-CSPM branch May 19, 2025 15:13

sourcery-ai bot mentioned this pull request May 19, 2025

[pull] main from bridgecrewio:main Stars1233/checkov#93

Merged

feat(terraform): 7 new policies #7056

feat(terraform): 7 new policies #7056

Uh oh!

Conversation

TomerSegev241 commented Mar 17, 2025 • edited by tsmithv11 Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

User description

Description

Checklist:

Uh oh!

tsmithv11 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

TomerSegev241 commented Mar 17, 2025 •

edited by tsmithv11

Loading