update docs

aquasecurity · Apr 9, 2024 · eceb609 · eceb609
1 parent 327a292
commit eceb609
Show file tree

Hide file tree

Showing 8 changed files with 19 additions and 24 deletions.
diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0013/Terraform.md b/avd_docs/aws/cloudfront/AVD-AWS-0013/Terraform.md
@@ -4,7 +4,7 @@ Use the most modern TLS/SSL policies available
 ```hcl
  resource "aws_cloudfront_distribution" "good_example" {
    viewer_certificate {
-     cloudfront_default_certificate = false
+     cloudfront_default_certificate = aws_acm_certificate.example.arn
      minimum_protocol_version = "TLSv1.2_2021"
    }
  }

diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md b/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md
@@ -1,7 +1,7 @@
 
 You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
 
-Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name). 
+Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name) and *ssl_support_method* is *sni-only*. 
 If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. 
 The only option when using the cloudfront.net domain name is to ignore this rule.
 

diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md
@@ -1,5 +1,5 @@
 
-Use Customer managed key
+Enable encryption at rest
 
 ```yaml---
 Resources:
@@ -15,6 +15,4 @@ Resources:
 
 ```
 
-#### Remediation Links
- - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid
 
diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md b/avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md
@@ -1,5 +1,5 @@
 
-Use Customer managed key
+Enable encryption at rest
 
 ```hcl
  resource "aws_cloudtrail" "good_example" {

diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md b/avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md
@@ -1,15 +1,13 @@
 
-Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.
+Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.
 
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+Data can be freely read if compromised
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}
 
 ### Links
 - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
 
-- https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
-
 
diff --git a/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md b/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md
@@ -5,7 +5,7 @@ Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced
 resource "aws_iam_group" "support" {
   name =  "support"
 }
-resource "aws_iam_group_policy" "mfa" {
+resource aws_iam_group_policy mfa {
    
     group = aws_iam_group.support.name
     policy = <<EOF
@@ -33,7 +33,7 @@ EOF
 resource "aws_iam_group" "support" {
   name =  "support"
 }
-resource "aws_iam_policy" "mfa" {
+resource aws_iam_policy mfa {
    
     name = "something"
     policy = <<EOF
@@ -55,7 +55,7 @@ resource "aws_iam_policy" "mfa" {
 }
 EOF
 }
-resource "aws_iam_group_policy_attachment" "attach" {
+resource aws_iam_group_policy_attachment attach {
     group = aws_iam_group.support.name
     policy_arn = aws_iam_policy.mfa.id
 }
@@ -65,7 +65,7 @@ resource "aws_iam_group_policy_attachment" "attach" {
 resource "aws_iam_group" "support" {
   name =  "support"
 }
-resource "aws_iam_group_policy" "mfa" {
+resource aws_iam_group_policy mfa {
   group = aws_iam_group.support.name
   policy = data.aws_iam_policy_document.combined.json
 }

diff --git a/avd_docs/azure/database/AVD-AZU-0027/Terraform.md b/avd_docs/azure/database/AVD-AZU-0027/Terraform.md
@@ -9,18 +9,17 @@ Enable auditing on Azure SQL databases
    version                      = "12.0"
    administrator_login          = "mradministrator"
    administrator_login_password = "tfsecRocks"
- }
-
- resource "azurerm_mssql_server_extended_auditing_policy" "example" {
-  server_id                               = azurerm_sql_server.good_example.id
-  storage_endpoint                        = azurerm_storage_account.example.primary_blob_endpoint
-  storage_account_access_key              = azurerm_storage_account.example.primary_access_key
-  storage_account_access_key_is_secondary = true
-  retention_in_days                       = 6
+ 
+   extended_auditing_policy {
+     storage_endpoint                        = azurerm_storage_account.example.primary_blob_endpoint
+     storage_account_access_key              = azurerm_storage_account.example.primary_access_key
+     storage_account_access_key_is_secondary = true
+     retention_in_days                       = 6
+   }
  }
  
 ```
 
 #### Remediation Links
- - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_extended_auditing_policy
+ - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server#extended_auditing_policy
 
diff --git a/avd_docs/dockerfile/general/AVD-DS-0017/docs.md b/avd_docs/dockerfile/general/AVD-DS-0017/docs.md
@@ -8,6 +8,6 @@ The instruction 'RUN <package-manager> update' should always be followed by '<pa
 {{ remediationActions }}
 
 ### Links
-- https://docs.docker.com/develop/develop-images/instructions/#run
+- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run