Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Checkov files #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nimratcoderabbit wants to merge 1 commit into main
base: main
Choose a base branch
Loading
from preview/checkov
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions checkov/test.tf
View file Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
provider "aws" {
region = "us-east-1"
}

resource "aws_s3_bucket" "bad_bucket" {
bucket = "my-insecure-bucket"
acl = "public-read"
}
Comment on lines +5 to +8
Copy link

@coderabbitai coderabbitai bot Jul 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

⚠️ Potential issue

Public-read ACL creates a world-readable bucket – lock it down.

The acl = "public-read" line exposes every object in my-insecure-bucket to the entire internet. Unless the business case explicitly requires anonymous access (and most don’t), switch to a private ACL and add encryption / versioning / lifecycle controls.

- acl = "public-read"
+ acl = "private"
+
+# Enable versioning to guard against accidental deletes
+ versioning {
+ enabled = true
+ }
+
+# Default encryption at rest (SSE-KMS)
+ server_side_encryption_configuration {
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "aws:kms"
+ }
+ }
+ }

Add a separate Public Access Block resource to guarantee nothing re-opens the bucket:

+resource "aws_s3_bucket_public_access_block" "bad_bucket_pab" {
+ bucket = aws_s3_bucket.bad_bucket.id
+
+ block_public_acls = true
+ ignore_public_acls = true
+ block_public_policy = true
+ restrict_public_buckets = true
+}
📝 Committable suggestion

!!️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
resource "aws_s3_bucket" "bad_bucket" {
bucket = "my-insecure-bucket"
acl = "public-read"
}
resource "aws_s3_bucket" "bad_bucket" {
bucket = "my-insecure-bucket"
acl = "private"
# Enable versioning to guard against accidental deletes
versioning {
enabled = true
}
# Default encryption at rest (SSE-KMS)
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
}
resource "aws_s3_bucket_public_access_block" "bad_bucket_pab" {
bucket = aws_s3_bucket.bad_bucket.id
block_public_acls = true
ignore_public_acls = true
block_public_policy = true
restrict_public_buckets = true
}
🧰 Tools
🪛 Checkov (3.2.334)

[MEDIUM] 5-8: Ensure that an S3 bucket has a lifecycle configuration

(CKV2_AWS_61)

[HIGH] 5-8: S3 Bucket has an ACL defined which allows public READ access.

(CKV_AWS_20)

🤖 Prompt for AI Agents 
In checkov/test.tf around lines 5 to 8, the S3 bucket is configured with a
public-read ACL, making it world-readable. Change the ACL to "private" to
restrict access, and add encryption, versioning, and lifecycle policies as
needed. Additionally, create a separate aws_s3_bucket_public_access_block
resource to block any public access settings and ensure the bucket remains
secure.


resource "aws_security_group" "bad_sg" {
name = "open-sg"
description = "Security group with open ingress"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
Comment on lines +10 to +18
Copy link

@coderabbitai coderabbitai bot Jul 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

SSH open to the world (0.0.0.0/0) – huge attack surface.

Unrestricted port 22 access invites automated scanning and brute-force attacks. Limit the source CIDR to a known bastion IP range or, better, drop public SSH and use SSM Session Manager.

- cidr_blocks = ["0.0.0.0/0"]
+ # Example: restrict to corporate office IP range
+ cidr_blocks = ["203.0.113.0/24"]
📝 Committable suggestion

!!️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
resource "aws_security_group" "bad_sg" {
name = "open-sg"
description = "Security group with open ingress"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group" "bad_sg" {
name = "open-sg"
description = "Security group with open ingress"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
# Example: restrict to corporate office IP range
cidr_blocks = ["203.0.113.0/24"]
}
}
🤖 Prompt for AI Agents 
In checkov/test.tf around lines 10 to 18, the security group ingress rule allows
SSH (port 22) from any IP address (0.0.0.0/0), creating a large attack surface.
To fix this, restrict the cidr_blocks value to a specific known IP range such as
a bastion host's IP or remove the public SSH access entirely and configure
access through AWS Systems Manager Session Manager instead.

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

AltStyle によって変換されたページ (->オリジナル) /