#security (2022-09)
Archive: https://archive.sweetops.com/security/
2022-09-01
Anyone using this solution? It’s free apparently. Surprised I hadn’t heard of it. I’m mostly familiar with OPA Checkmarx Infra as Code Scanning https://checkmarx.com/product/opensource/kics-open-source-infrastructure-as-code-project/
just executed it against our CF files and their output is kind of useless. it found
KMS Key With Vulnerable Policy, Severity: HIGH, Results: 4
Description: Checks if the policy is vulnerable and needs updating.
and no more information returned. The output doesn’t even point to the actual line that they think is problematic but just to the keypolicy block in general.
I found their docs with “more description” which just send me to general KMS Key Policy Docs which I already follow.
We looked at it.. doesn’t have support for private modules yet.. sticking with Checkov for now
2022-09-08
2022-09-13
Hi all, I created a kms key for encrypted sns topics. Is this policy secure enough ?
EncryptionKey: DeletionPolicy: Delete Type: AWS::Key Properties: KeyPolicy: Version: 2012-10-17 Id: !Ref AWS::StackName Statement: - Effect: Allow Principal: AWS: - !Sub “arniam:root” Action: ‘kms:’ Resource: ‘’ - Effect: Allow Principal: Service: - cloudwatch.amazonaws.com Action: - ‘kms:Decrypt’ - ‘kms:GenerateDataKey’ Resource: ‘’ EnableKeyRotation: true
2022-09-15
Once it’s in ECR, no ideas come to mind. At Enigma we have the ability to fail the push CI job if there are unapproved vulnerabilities. We do this by scanning the image with Clair in CI on every merge request.
AWS ECR scanning uses Clair under the hood.
In other words we prevent pushing to ECR in the first place