TerraGoat – Vulnerable Terraform Infrastructure
TerraGoat is Bridgecrew’s “Vulnerable by Design” Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
TerraGoat was built to enable DevSecOps to design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Checkov, inline-linters, pre-commit hooks, or other code scanning methods.
TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.
Existing vulnerabilities (Auto-Generated)
| check_id | file | resource | check_name | |
|---|---|---|---|---|
| 0 | CKV_AWS_46 | /ec2.tf | aws_instance.web_host | Ensure no hardcoded AWS access key and secret key exists in EC2 user data |
| 1 | CKV_AWS_8 | /ec2.tf | aws_instance.web_host | Ensure all data stored in the Launch configuration EBS is securely encrypted |
| 2 | CKV_AWS_3 | /ec2.tf | aws_ebs_volume.web_host_storage | Ensure all data stored in the EBS is securely encrypted |
| 3 | CKV_AWS_4 | /ec2.tf | aws_ebs_snapshot.example_snapshot | Ensure all data stored in the EBS Snapshot is securely encrypted |
| 4 | CKV_AWS_24 | /ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
| 5 | CKV_AWS_21 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket have versioning enabled |
| 6 | CKV_AWS_52 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure S3 bucket has MFA delete enabled |
| 7 | CKV_AWS_19 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| 8 | CKV_AWS_18 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure the S3 bucket has access logging enabled |
| 9 | CKV_AWS_21 | /s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket have versioning enabled |
| 10 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.data | Ensure S3 bucket has MFA delete enabled |
| 11 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| 12 | CKV_AWS_20 | /s3.tf | aws_s3_bucket.data | S3 Bucket has an ACL defined which allows public READ access. |
| 13 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.data | Ensure the S3 bucket has access logging enabled |
| 14 | CKV_AWS_21 | /s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket have versioning enabled |
| 15 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.financials | Ensure S3 bucket has MFA delete enabled |
| 16 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| 17 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.financials | Ensure the S3 bucket has access logging enabled |
| 18 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.operations | Ensure S3 bucket has MFA delete enabled |
| 19 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.operations | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| 20 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.operations | Ensure the S3 bucket has access logging enabled |
| 21 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.data_science | Ensure S3 bucket has MFA delete enabled |
| 22 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.data_science | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| 23 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.logs | Ensure S3 bucket has MFA delete enabled |
| 24 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.logs | Ensure the S3 bucket has access logging enabled |
| 25 | CKV_AWS_7 | /kms.tf | aws_kms_key.logs_key | Ensure rotation for customer created CMKs is enabled |
| 26 | CKV_AWS_16 | /db-app.tf | aws_db_instance.default | Ensure all data stored in the RDS is securely encrypted at rest |
| 27 | CKV_AWS_17 | /db-app.tf | aws_db_instance.default | Ensure all data stored in the RDS bucket is not publicly accessible |
| 28 | CKV_AWS_23 | /db-app.tf | aws_security_group.default | Ensure every security groups rule has a description |
| 29 | CKV_AWS_23 | /db-app.tf | aws_security_group_rule.ingress | Ensure every security groups rule has a description |
| 30 | CKV_AWS_23 | /db-app.tf | aws_security_group_rule.egress | Ensure every security groups rule has a description |
| 31 | CKV_AWS_8 | /db-app.tf | aws_instance.db_app | Ensure all data stored in the Launch configuration EBS is securely encrypted |
| 32 | CKV_AWS_41 | /providers.tf | aws | Ensure no hardcoded AWS access key and secret key exists in provider |
| 33 | CKV_AWS_40 | /iam.tf | aws_iam_user_policy.userpolicy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce the opportunity for a principal to inadvertently receive or retain excessive privileges.) |
| 34 | CKV_AWS_50 | /lambda.tf | aws_lambda_function.analysis_lambda | X-ray tracing is enabled for Lambda |
| 35 | CKV_AWS_45 | /lambda.tf | aws_lambda_function.analysis_lambda | Ensure no hardcoded AWS access key and secret key exists in lambda environment |
Changelog v0.6
-
update resource scan result doc
Install
Copyright (C) 2020 bridgecrewio
