Gomboc Fix for #32 - tf-test

[gomboc-community-dev]

This fix was produced in response to #32 on the following target:

Repository	Branch	Directory
pepegc/rattleback	pepegc-patch-22	tf-test

Rules with observations	10
Affected resources	4
Resource types	4
Code fixes	7
Files modified	1

Recommendation	Resources	Observations
API Key Authentication	1	1
Client Authentication via IAM SigV4	1	1
Encryption At-Rest with Provider Managed Key	2	2
Encryption At-Rest with Bespoke Service Implementation	1	1
Encryption At-Rest with Customer Managed Key (CMK)	1	1
Deletion Protection	1	1
Request Tracing	2	2
On-Demand Capacity	1	1
Provisioned Capacity	1	1
Resource Tags	1	1

These recommendations come from the following benchmarks

Benchmark
Gomboc Best Practices CIS Critical Security Controls v8.1 (AWS)
CIS Critical Security Controls v8.1

[gomboc-community-dev]

To ensure proper resource management and categorization, the tags attribute has been added to your aws_dynamodb_table configuration. Including tags is crucial as it allows for better organization, tracking, and cost management of AWS resources. Not having tags can lead to challenges in identifying, managing, and allocating costs for your resources, especially in complex environments. By implementing this change, you enhance the traceability and governance of your DynamoDB tables.

Leave feedback

Please post on our discussions channel. You can provide the following reference: 411f3e36ed53e52f7e3cbaf9072767d6262fc37d250785221664e8503f0fb156

[gomboc-community-dev]

To enhance the resilience of your AWS DynamoDB Table against accidental deletions, the deletion_protection_enabled attribute has been set to true. This modification ensures that deletion protection is active, safeguarding the table from unintended deletions. Without this protection, there is a risk of losing critical data due to accidental deletion, which is particularly crucial for production environments. Enabling this setting helps maintain the integrity and availability of your data by preventing unintended operations that could lead to data loss.

Leave feedback

Please post on our discussions channel. You can provide the following reference: d464e376604756a617e8baccc5cc483f0de93c9d80f2d39c7ee5e0a0d2572966

[gomboc-community-dev]

I scanned the tf-test directory in search of Terraform misconfigurations. No issues found!

[gomboc-community-dev]

The billing_mode attribute for the aws_dynamodb_table resource was set to "PAY_PER_REQUEST". This configuration specifies the use of on-demand billing, which is recommended for tables with unpredictable or variable workloads. By using the "PAY_PER_REQUEST" billing mode, you can optimize cost efficiency, as charges are based solely on the read and write requests you make, rather than through pre-purchased capacity. This is particularly beneficial for applications with fluctuating demand patterns, ensuring you only pay for what you use and avoid over-provisioning resources.

Leave feedback

Please post on our discussions channel. You can provide the following reference: 2611ff7b5b3eae44bcc9796c834cd2d2c7935c9e97dd43e531cea620e981feb1

[gomboc-community-dev]

The server-side encryption block within your AWS DynamoDB Table resource has been modified to explicitly set the enabled attribute to false. This change ensures that server-side encryption is turned off for the DynamoDB Table.

Impact of the change: By explicitly setting server-side encryption to false, the data within this DynamoDB Table will not be encrypted at rest. This can be suitable for scenarios where encryption is managed externally or is not required by compliance. However, it is important to consider the security implications of this configuration, especially if the table contains sensitive information. Be sure to review your organization's data protection requirements to ensure this setting aligns with your security policies.

Leave feedback

Please post on our discussions channel. You can provide the following reference: b0f7e9f4458edaed4cd2552dd0d3c1f1f2afaf3a233e43f01c1c0ba789462c97

[gomboc-community-dev]

The tracing_config block was added to the AWS Lambda Function resource with the mode attribute set to Active. Enabling tracing in Active mode ensures that AWS X-Ray actively traces and monitors your Lambda function's requests. This change provides improved visibility into the function's performance and aids in diagnosing any issues, leading to better application reliability and easier troubleshooting.

Leave feedback

Please post on our discussions channel. You can provide the following reference: 62765aecbde07930d8afdc5696a332e40096397147c55134f82a87707ef492b7

[gomboc-community-dev]

The xray_enabled attribute for the AWS AppSync GraphQL API resource has been set to true. This modification enables AWS X-Ray tracing for the API, which is crucial for enhanced monitoring and debugging. Without this setting, you may miss out on detailed insights into API request paths and latencies, making it more challenging to troubleshoot performance issues and understand the behavior of your API. Enabling X-Ray tracing is especially beneficial in production environments where maintaining optimal performance and quickly diagnosing issues are critical.

Leave feedback

Please post on our discussions channel. You can provide the following reference: af879331249c525901eab405f59e69d22c6054f0f9210c45442068029cac615e

[gomboc-community-dev]

Recommended Change for AWS Keyspaces Table Resource

The following modification is recommended for the aws_keyspaces_table resource to ensure compliance with encryption best practices:

1. Modification: The encryption_specification block must be defined and include both the kms_key_identifier and type attributes. Specifically, if a kms_key_identifier is present, the type attribute should be set to CUSTOMER_MANAGED_KMS_KEY.

2. Impact of Change: By setting the type attribute to CUSTOMER_MANAGED_KMS_KEY when a kms_key_identifier is specified, you ensure that the encryption of the keyspaces table is managed by a customer-provided KMS key. This enhances security by allowing you to control and manage the encryption keys used to protect your data, which is a crucial aspect in maintaining data privacy and compliance with security policies.

Implementing this change will help maintain the integrity and confidentiality of the data within your AWS Keyspaces tables, leveraging AWS's robust encryption capabilities.

Leave feedback

Please post on our discussions channel. You can provide the following reference: 1f35f477d7faa9bdc76e6749f2e7d6cadf476dce54f62502f9a783d140e13f9d

[gomboc-community-dev]

The encryption_specification block for the aws_keyspaces_table resource has been modified to include both the kms_key_identifier and type attributes. The type attribute has been set to CUSTOMER_MANAGED_KMS_KEY to comply with the rule that requires this setting when kms_key_identifier is present.

The impact of this change is significant for security and compliance. By specifying CUSTOMER_MANAGED_KMS_KEY and providing a kms_key_identifier, you ensure that the encryption keys used for your AWS Keyspaces table are managed by you, allowing for greater control and monitoring of the data encryption process. This reduces the risk of unauthorized access and enhances the security posture of your application by leveraging customer-managed KMS keys for encryption.

Leave feedback

Please post on our discussions channel. You can provide the following reference: 1f35f477d7faa9bdc76e6749f2e7d6cadf476dce54f62502f9a783d140e13f9d