Skip to content

Ignoring LOW tfsec vulnerability for web_acl cloudwatch log group#65

Open
adityacb15 wants to merge 1 commit intomainfrom
fix_for_tfsec_issue
Open

Ignoring LOW tfsec vulnerability for web_acl cloudwatch log group#65
adityacb15 wants to merge 1 commit intomainfrom
fix_for_tfsec_issue

Conversation

@adityacb15
Copy link

@adityacb15 adityacb15 commented Jun 20, 2025
edited
Loading

While accessing the WAFv2 module in our repo (platform-services-observability), we faced this issue during a tfsec scan.

Result #1 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  github.com/RSS-Engineering/terraform/modules/wafv2?ref=53cbaac6891da31d4b4f4bbcecbe36a9b8a120c6/main.tf:219-222
   via infra/sso/main.tf:110-120 (module.wafv2)
────────────────────────────────────────────────────────────────────────────────
  219    resource "aws_cloudwatch_log_group" "web_acl_log" {
  220      name  = "aws-waf-logs-${var.stage}_${var.region}_${var.service_name}"
  221      count = var.enabled
  222    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id

@adityacb15 adityacb15 self-assigned this Jun 20, 2025
@adityacb15 adityacb15 force-pushed the fix_for_tfsec_issue branch from 03b29ea to 05e85f7 Compare June 23, 2025 10:01
@adityacb15 adityacb15 requested a review from iWebi June 23, 2025 10:02
@adityacb15 adityacb15 force-pushed the fix_for_tfsec_issue branch 3 times, most recently from 51f3ce4 to 9a389aa Compare June 24, 2025 08:49
@adityacb15 adityacb15 changed the title Adding a KMS key for encrypting CloudWatch Logs Ignoring LOW tfsec vulnerability for web_acl cloudwatch log group Jun 24, 2025
@adityacb15 adityacb15 force-pushed the fix_for_tfsec_issue branch from 9a389aa to c306591 Compare June 24, 2025 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iWebi iWebi Awaiting requested review from iWebi

At least 1 approving review is required to merge this pull request.

Assignees

@adityacb15 adityacb15

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adityacb15