From a668e6631d223672d1c334e2d805841ae1f5936e Mon Sep 17 00:00:00 2001 From: RII6 Date: Fri, 26 Jun 2026 23:38:13 +0300 Subject: [PATCH] feat(lab6): Checkov + KICS scans + custom policy --- labs/lab6/policies/my-custom-policy.yaml | 12 +++ submissions/lab6.md | 112 +++++++++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100644 labs/lab6/policies/my-custom-policy.yaml create mode 100644 submissions/lab6.md diff --git a/labs/lab6/policies/my-custom-policy.yaml b/labs/lab6/policies/my-custom-policy.yaml new file mode 100644 index 000000000..4523d8a81 --- /dev/null +++ b/labs/lab6/policies/my-custom-policy.yaml @@ -0,0 +1,12 @@ +metadata: + name: "Ensure RDS instances have deletion protection enabled" + id: "CKV2_CUSTOM_1" + category: "BACKUP_AND_RECOVERY" + severity: "HIGH" +definition: + cond_type: "attribute" + resource_types: + - "aws_db_instance" + attribute: "deletion_protection" + operator: "equals" + value: true diff --git a/submissions/lab6.md b/submissions/lab6.md new file mode 100644 index 000000000..11ec3e7de --- /dev/null +++ b/submissions/lab6.md @@ -0,0 +1,112 @@ +# Lab 6 — Submission + +## Task 1: Checkov on Terraform + Pulumi + +> **Note on lab issues:** +> 1. Checkov 3.x outputs JSON arrays, not objects. The provided `jq` commands fail with `Cannot index array with string "results"`. Fixed by using `jq '[.[] | ...]'`. +> 2. The Checkov open-source version does not populate the `severity` field (returns `null`), so the Severity table cannot be filled. +> 3. Task 1 lacks Pulumi commands, and the `pulumi-state-rendered.json` fallback file is missing from the repository, making the Pulumi scan impossible here. + +### Terraform scan +- Total checks: 129 +- Passed: 49 +- Failed: 80 + +| Severity | Count | +|----------|------:| +| Critical | N/A (null) | +| High | N/A (null) | +| Medium | N/A (null) | +| Low | N/A (null) | + +### Top 5 rule IDs (by frequency) +| Rule ID | Count | What it checks | +|---------|------:|----------------| +| CKV_AWS_289 | 4 | Ensure IAM policies does not allow permissions management / resource exposure without constraints | +| CKV_AWS_355 | 4 | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | +| CKV_AWS_23 | 3 | Ensure every security group and rule has a description | +| CKV_AWS_288 | 3 | Ensure IAM policies does not allow data exfiltration | +| CKV_AWS_290 | 3 | Ensure IAM policies does not allow write access without constraints | + +### Pulumi scan +| Severity | Count | +|----------|------:| +| N/A | N/A | + +*(Pulumi Checkov scan skipped due to missing `pulumi-state-rendered.json` and lack of native Pulumi source support in Checkov 3.x).* + +### Module-leverage analysis (Lecture 6 slide 17) +Looking at the top-5 Terraform rules, 4 of them (CKV_AWS_289, CKV_AWS_355, CKV_AWS_288, CKV_AWS_290) are related to overly permissive IAM policies. If the base IAM policy module restricted the use of wildcards (`*`) for resources and actions by default, this single fix would immediately resolve 14 vulnerabilities. + + +## Task 2: KICS on Ansible + +> **Note on lab issues:** +> The `jq` commands provided in the instructions attempt to read from `labs/lab6/results/kics/results.json`. However, the Docker commands output the results to `results/kics-ansible/` and `results/kics-pulumi/`. The `jq` path had to be corrected to point to `kics-ansible/results.json` to work. + +### Severity breakdown (Ansible) +| Severity | Count | +|----------|------:| +| HIGH | 3 | +| MEDIUM | 0 | +| LOW | 1 | +| INFO | 0 | +*(Note: This counts unique triggered rules based on the lab's `jq` query. The total number of affected files/findings is 9 High and 1 Low).* + +### Top 5 KICS queries (by frequency) +| Query | Severity | Files | +|-------|----------|------:| +| Passwords And Secrets - Generic Password | HIGH | 6 | +| Passwords And Secrets - Password in URL | HIGH | 2 | +| Passwords And Secrets - Generic Secret | HIGH | 1 | +| Unpinned Package Version | LOW | 1 | + + +### Checkov vs KICS — when to use which? (Lecture 6 slide 10) +- **One thing Checkov did better for the Terraform sample:** Checkov has deep, native understanding of AWS architectures and provides specialized, graph-based rules (like cross-resource checks for IAM), making it incredibly powerful for cloud-native IaC like Terraform. +- **One thing KICS did better for the Ansible sample:** KICS natively parsed Ansible playbooks and Pulumi YAML configurations without needing state translation, effectively finding hardcoded secrets and unpinned packages in configuration management tools where Checkov struggles or requires workarounds. + +--- + +## Bonus: Custom Checkov Policy + +### Policy file +```yaml +metadata: + name: "Ensure RDS instances have deletion protection enabled" + id: "CKV2_CUSTOM_1" + category: "BACKUP_AND_RECOVERY" + severity: "HIGH" +definition: + cond_type: "attribute" + resource_types: + - "aws_db_instance" + attribute: "deletion_protection" + operator: "equals" + value: true +``` + +### Rule fires +Output of `jq '.[] | .results.failed_checks[]? | select(.check_id | startswith("CKV2_CUSTOM_"))'`: +```json +{ + "check_id": "CKV2_CUSTOM_1", + "bc_check_id": null, + "check_name": "Ensure RDS instances have deletion protection enabled", + "check_result": { + "result": "FAILED", + "entity": { + "aws_db_instance": { + "weak_db": { ... } + } + } + }, + "resource": "aws_db_instance.weak_db", + "severity": "HIGH" +} +``` +*(Note: JSON output truncated for readability. It successfully fired on both `aws_db_instance.unencrypted_db` and `aws_db_instance.weak_db`).* + +### Why this rule matters +This custom policy prevents accidental or malicious deletion of production databases by enforcing AWS RDS deletion protection. A real-world example of this risk was the GitLab database outage in 2017, where an admin accidentally deleted critical database files; having strict deletion protection controls enforced at the IaC level adds a necessary layer of defense against irrecoverable data loss and helps comply with standard availability frameworks like SOC2. +