#security (2022-09)

Archive: https://archive.sweetops.com/security/

2022-09-01

sheldonh avatar
sheldonh

Anyone using this solution? It’s free apparently. Surprised I hadn’t heard of it. I’m mostly familiar with OPA Checkmarx Infra as Code Scanning https://checkmarx.com/product/opensource/kics-open-source-infrastructure-as-code-project/

KICS - Open Source Solution | Keeping Infrastructure as Code Secure | Checkmarx KICS Solutionsattachment image

KICS - Keeping Infrastructure as Code Secure is an open source solution for static code analysis of IaC. Learn more about our KICS solution at Checkmarx now!

Maciek Strömich avatar
Maciek Strömich

just executed it against our CF files and their output is kind of useless. it found

KMS Key With Vulnerable Policy, Severity: HIGH, Results: 4
Description: Checks if the policy is vulnerable and needs updating.

and no more information returned. The output doesn’t even point to the actual line that they think is problematic but just to the keypolicy block in general.

I found their docs with “more description” which just send me to general KMS Key Policy Docs which I already follow.

KICS - Open Source Solution | Keeping Infrastructure as Code Secure | Checkmarx KICS Solutionsattachment image

KICS - Keeping Infrastructure as Code Secure is an open source solution for static code analysis of IaC. Learn more about our KICS solution at Checkmarx now!

2022-09-08

2022-09-13

Bart Coddens avatar
Bart Coddens

Hi all, I created a kms key for encrypted sns topics. Is this policy secure enough ?

Bart Coddens avatar
Bart Coddens

EncryptionKey: DeletionPolicy: Delete Type: AWS::Key Properties: KeyPolicy: Version: 2012-10-17 Id: !Ref AWS::StackName Statement: - Effect: Allow Principal: AWS: - !Sub “arniam:root” Action: ‘kms:’ Resource: ‘’ - Effect: Allow Principal: Service: - cloudwatch.amazonaws.com Action: - ‘kms:Decrypt’ - ‘kms:GenerateDataKey’ Resource: ‘’ EnableKeyRotation: true

2022-09-15

Bogdan avatar
Bogdan
10:19:32 AM

cross-posting from hangops since I’m really looking for a solution:
does anyone know if there’s an automatic way to block pulling/consuming of a Docker image from AWS ECR if the said image has been discovered to have vulnerabilities? By automatic here I am thinking of even updating IAM policies with a DENY statement…

    keyboard_arrow_up