Skip to content

Ignoring LOW tfsec vulnerability for web_acl cloudwatch log group #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Ignoring LOW tfsec vulnerability for web_acl cloudwatch log group #65

wants to merge 1 commit into from

Conversation

adityacb15
Copy link

@adityacb15 adityacb15 commented Jun 20, 2025
edited
Loading

While accessing the WAFv2 module in our repo (platform-services-observability), we faced this issue during a tfsec scan.

Result #1 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  github.com/RSS-Engineering/terraform/modules/wafv2?ref=53cbaac6891da31d4b4f4bbcecbe36a9b8a120c6/main.tf:219-222
   via infra/sso/main.tf:110-120 (module.wafv2)
────────────────────────────────────────────────────────────────────────────────
  219    resource "aws_cloudwatch_log_group" "web_acl_log" {
  220      name  = "aws-waf-logs-${var.stage}_${var.region}_${var.service_name}"
  221      count = var.enabled
  222    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.14/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id

@adityacb15 adityacb15 self-assigned this Jun 20, 2025
@adityacb15 adityacb15 force-pushed the fix_for_tfsec_issue branch from 03b29ea to 05e85f7 Compare June 23, 2025 10:01
@adityacb15 adityacb15 requested a review from iWebi June 23, 2025 10:02
@adityacb15 adityacb15 force-pushed the fix_for_tfsec_issue branch 3 times, most recently from 51f3ce4 to 9a389aa Compare June 24, 2025 08:49
@adityacb15 adityacb15 changed the title Adding a KMS key for encrypting CloudWatch Logs Ignoring LOW tfsec vulnerability for web_acl cloudwatch log group Jun 24, 2025
@adityacb15 adityacb15 force-pushed the fix_for_tfsec_issue branch from 9a389aa to c306591 Compare June 24, 2025 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iWebi iWebi Awaiting requested review from iWebi

At least 1 approving review is required to merge this pull request.

Assignees

@adityacb15 adityacb15

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@adityacb15