The tfsec config file enables us to modify a rule's severity level or exclude a rule from a scan completely. This is useful when a rule is not applicable or the severity should be lowered for a dev environment vs a prod environment.
Overriding the Severity
This rule below is being modified from the original "HIGH" finding to a "LOW" finding.
Again, leveraging the custom config file will result in the rule aws-s3-enable-bucket-encryption being excluded from the findings.
Custom tfsec Rules
tfsec supports custom rules written in JSON, YAML, or Rego. Custom rules are useful when you want to enforce security policies specific to your organization or when out-of-the-box rules don't meet your requirements.
JSON Format
This rule ensures an S3 bucket has a business owner tag.
# _tfchecks.json
{
"checks": [
{
"code": "No Business Owner Tag - CUS001",
"description": "Custom check to ensure buckets are tagged with a business owner.",
"impact": "By not having a business owner tag, it is difficult to determine who is responsible for the bucket.",
"resolution": "Add the businessOwner tag.",
"requiredTypes": [
"resource"
],
"requiredLabels": [
"aws_s3_bucket"
],
"severity": "CRITICAL",
"matchSpec": {
"name": "tags",
"action": "contains",
"value": "businessOwner"
},
"errorMessage": "The required businessOwner tag was missing."
}
]
}
The custom rule can be leveraged during a scan. This assumes the terraform code and custom rule are in the same directory but this doesn't have to be true.
tfsec --custom-check-dir .
YAML Format
---
checks:
- code: No Business Owner Tag - CUS001
description: Custom check to ensure buckets are tagged with a business owner.
impact: By not having a business owner tag, it is difficult to determine who is responsible for the bucket.
resolution: Add the businessOwner tag.
requiredTypes:
- resource
requiredLabels:
- aws_s3_bucket
severity: CRITICAL
matchSpec:
name: tags
action: contains
value: businessOwner
errorMessage: The required businessOwner tag was missing.
Rego Format
An example of a supported check would be a Rego policy that checks S3 bucket versioning is enabled.
package custom.aws.s3.versioning_enabled
deny[res] {
bucket := input.aws.s3.buckets[_]
bucket.versioning.enabled.value == false
msg := "Bucket should have versioning enabled."
res := result.new(msg, bucket.versioning.enabled)
}
Useful Resources
We can easily make exceptions by adding this line of code directly above the resource. Hint, if you use the , you can just click a button to do this for you. When the scan runs again, this finding will be ignored.
The same but in YAML.
tfsec allows for writing policies in Rego format but not all arguments are supported. In this case, we cannot write a tfsec rego policy that checks for tags. Under the hood, tfsec is utilizing the open-source project and tags are not supported for an S3 bucket. You can view what is . Additionally, you can see all the values and their current configuration by running this command, tfsec --print-rego-input | jq '.aws.s3.buckets[0]' which will return an output similar to below.
