Update to the latest defsec

cmd/tfsec-docs/main.go

@@ -56,6 +56,14 @@ func getSortedFileContents() []*FileContent {
  if r.Rule().Terraform == nil {
  continue
  }
+ var badExample string
+ if len(r.Rule().Terraform.BadExamples) > 0 {
+ badExample = r.Rule().Terraform.BadExamples[0]
+ }
+ var goodExample string
+ if len(r.Rule().Terraform.GoodExamples) > 0 {
+ goodExample = r.Rule().Terraform.GoodExamples[0]
+ }
  provider := string(r.Rule().Provider)
  checkMap[provider] = append(checkMap[provider], templateObject{
  ID: r.Rule().LongID(),
@@ -67,8 +75,8 @@ func getSortedFileContents() []*FileContent {
  Explanation: r.Rule().Explanation,
  Impact: r.Rule().Impact,
  Resolution: r.Rule().Resolution,
- BadExample: r.Rule().Terraform.BadExamples[0],
- GoodExample: r.Rule().Terraform.GoodExamples[0],
+ BadExample: badExample,
+ GoodExample: goodExample,
  Links: append(r.Rule().Terraform.Links, r.Rule().Links...),
  })
  }

docs/checks/aws/api-gateway/enable-cache/index.md

@@ -0,0 +1,86 @@
+---
+title: Ensure that response caching is enabled for your Amazon API Gateway REST APIs.
+---
+
+# Ensure that response caching is enabled for your Amazon API Gateway REST APIs.
+
+### Default Severity: <span class="severity low">low</span>
+
+### Explanation
+
+A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.
+
+### Possible Impact
+Reduce the number of calls made to your API endpoint and also improve the latency of requests to your API with response caching.
+
+### Suggested Resolution
+Enable cache
+
+
+### Insecure Example
+
+The following example will fail the aws-api-gateway-enable-cache check.
+```terraform
+
+ resource "aws_api_gateway_rest_api" "example" {
+
+ }
+
+ resource "aws_api_gateway_stage" "example" {
+ rest_api_id = aws_api_gateway_rest_api.example.id
+ }
+
+ resource "aws_api_gateway_method_settings" "bad_example" {
+ rest_api_id = aws_api_gateway_rest_api.example.id
+ stage_name = aws_api_gateway_stage.example.stage_name
+ method_path = "path1/GET"
+
+ settings {
+ metrics_enabled = true
+ logging_level = "INFO"
+ caching_enabled = false
+ }
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-api-gateway-enable-cache check.
+```terraform
+
+ resource "aws_api_gateway_rest_api" "example" {
+
+ }
+
+ resource "aws_api_gateway_stage" "example" {
+
+ }
+
+ resource "aws_api_gateway_method_settings" "good_example" {
+ rest_api_id = aws_api_gateway_rest_api.example.id
+ stage_name = aws_api_gateway_stage.example.stage_name
+ method_path = "path1/GET"
+
+ settings {
+ metrics_enabled = true
+ logging_level = "INFO"
+ caching_enabled = true
+ }
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_enabled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_enabled){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+

docs/checks/aws/api-gateway/index.md

@@ -9,6 +9,8 @@ title: api-gateway
 
 - [enable-access-logging](enable-access-logging) API Gateway stages for V1 and V2 should have access logging enabled
 
+- [enable-cache](enable-cache) Ensure that response caching is enabled for your Amazon API Gateway REST APIs.
+
 - [enable-cache-encryption](enable-cache-encryption) API Gateway must have cache enabled
 
 - [enable-tracing](enable-tracing) API Gateway must have X-Ray tracing enabled

docs/checks/aws/ec2/index.md

@@ -23,7 +23,7 @@ title: ec2
 
 - [no-default-vpc](no-default-vpc) AWS best practice to not use the default VPC for workflows
 
-- [no-excessive-port-access](no-excessive-port-access) An ingress Network ACL rule allows ALL ports.
+- [no-excessive-port-access](no-excessive-port-access) An Network ACL rule allows ALL ports.
 
 - [no-public-egress-sgr](no-public-egress-sgr) An egress security group rule allows traffic to /0.
 
@@ -41,6 +41,8 @@ title: ec2
 
 - [no-sensitive-info](no-sensitive-info) Ensure all data stored in the launch configuration EBS is securely encrypted
 
+- [require-vpc-flow-logs-for-all-vpcs](require-vpc-flow-logs-for-all-vpcs) VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.
+
 - [volume-encryption-customer-key](volume-encryption-customer-key) EBS volume encryption should use Customer Managed Keys
 
 

docs/checks/aws/ec2/no-excessive-port-access/index.md

@@ -1,8 +1,8 @@
 ---
-title: An ingress Network ACL rule allows ALL ports.
+title: An Network ACL rule allows ALL ports.
 ---
 
-# An ingress Network ACL rule allows ALL ports.
+# An Network ACL rule allows ALL ports.
 
 ### Default Severity: <span class="severity critical">critical</span>
 
@@ -11,7 +11,7 @@ title: An ingress Network ACL rule allows ALL ports.
 Ensure access to specific required ports is allowed, and nothing else.
 
 ### Possible Impact
-All ports exposed for egressing data
+All ports exposed for ingressing/egressing data
 
 ### Suggested Resolution
 Set specific allowed ports

docs/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/index.md

@@ -0,0 +1,29 @@
+---
+title: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.
+---
+
+# VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs.
+
+### Default Severity: <span class="severity medium">medium</span>
+
+### Explanation
+
+VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.
+
+### Possible Impact
+Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues.
+
+### Suggested Resolution
+Enable flow logs for VPC
+
+
+
+
+
+### Links
+
+
+- [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+

docs/checks/aws/elb/drop-invalid-headers/index.md

@@ -10,7 +10,7 @@ title: Load balancers should drop invalid headers
 
 Passing unknown or invalid headers through to the target poses a potential risk of compromise. 
 
-By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
+By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.
 
 ### Possible Impact
 Invalid headers being passed through to the target of the load balance may exploit vulnerabilities

docs/checks/aws/elb/use-secure-tls-policy/index.md

@@ -37,7 +37,7 @@ The following example will pass the aws-elb-use-secure-tls-policy check.
 ```terraform
 
  resource "aws_alb_listener" "good_example" {
- ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
+ ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
  protocol = "HTTPS"
  }
 

docs/checks/aws/msk/enable-at-rest-encryption/index.md

@@ -0,0 +1,57 @@
+---
+title: A MSK cluster allows unencrypted data at rest.
+---
+
+# A MSK cluster allows unencrypted data at rest.
+
+### Default Severity: <span class="severity high">high</span>
+
+### Explanation
+
+Encryption should be forced for Kafka clusters, including at rest. This ensures sensitive data is kept private.
+
+### Possible Impact
+Intercepted data can be read at rest
+
+### Suggested Resolution
+Enable at rest encryption
+
+
+### Insecure Example
+
+The following example will fail the aws-msk-enable-at-rest-encryption check.
+```terraform
+
+ resource "aws_msk_cluster" "bad_example" {
+ encryption_info {
+ }
+ }
+
+```
+
+
+
+### Secure Example
+
+The following example will pass the aws-msk-enable-at-rest-encryption check.
+```terraform
+
+ resource "aws_msk_cluster" "good_example" {
+ encryption_info {
+ encryption_at_rest_kms_key_arn = "foo-bar-key"
+ }
+ }
+
+```
+
+
+
+### Links
+
+
+- [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#encryption_info-argument-reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#encryption_info-argument-reference){:target="_blank" rel="nofollow noreferrer noopener"}
+
+- [https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html](https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html){:target="_blank" rel="nofollow noreferrer noopener"}
+
+
+

docs/checks/aws/msk/index.md

@@ -7,6 +7,8 @@ title: msk
 ## Checks
 
 
+- [enable-at-rest-encryption](enable-at-rest-encryption) A MSK cluster allows unencrypted data at rest.
+
 - [enable-in-transit-encryption](enable-in-transit-encryption) A MSK cluster allows unencrypted data in transit.
 
 - [enable-logging](enable-logging) Ensure MSK Cluster logging is enabled

docs/checks/aws/rds/no-public-db-access/index.md

@@ -25,7 +25,7 @@ The following example will fail the aws-rds-no-public-db-access check.
  resource "aws_db_instance" "bad_example" {
  publicly_accessible = true
  }
- 
+
 ```
 
 
@@ -38,7 +38,7 @@ The following example will pass the aws-rds-no-public-db-access check.
  resource "aws_db_instance" "good_example" {
  publicly_accessible = false
  }
- 
+
 ```
 
 

docs/checks/azure/container/limit-authorized-ips/index.md

@@ -36,9 +36,13 @@ The following example will pass the azure-container-limit-authorized-ips check.
 ```terraform
 
  resource "azurerm_kubernetes_cluster" "good_example" {
- api_server_authorized_ip_ranges = [
+ api_server_access_profile {
+ authorized_ip_ranges = [
  "1.2.3.4/32"
  ]
+
+ }
+
  }
 
 ```

docs/checks/azure/storage/use-secure-tls-policy/index.md

@@ -30,6 +30,7 @@ The following example will fail the azure-storage-use-secure-tls-policy check.
  name = "storageaccountname"
  resource_group_name = azurerm_resource_group.example.name
  location = azurerm_resource_group.example.location
+ min_tls_version = "TLS1_0"
  }
 
 ```

docs/checks/google/compute/disk-encryption-no-plaintext-key/index.md

@@ -22,7 +22,7 @@ Reference a managed key rather than include the key in raw format.
 The following example will fail the google-compute-disk-encryption-no-plaintext-key check.
 ```terraform
 
- resource "google_compute_disk" "good_example" {
+ resource "google_compute_disk" "bad_example" {
  disk_encryption_key {
  raw_key="b2ggbm8gdGhpcyBpcyBiYWQ="
  }

docs/checks/google/compute/enable-shielded-vm-im/index.md

@@ -54,7 +54,7 @@ The following example will fail the google-compute-enable-shielded-vm-im check.
 The following example will pass the google-compute-enable-shielded-vm-im check.
 ```terraform
 
- resource "google_compute_instance" "bad_example" {
+ resource "google_compute_instance" "good_example" {
  name = "test"
  machine_type = "e2-medium"
  zone = "us-central1-a"