-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.trivyignore
More file actions
116 lines (111 loc) · 4.77 KB
/
.trivyignore
File metadata and controls
116 lines (111 loc) · 4.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# Trivy Ignore File - Documented Security Exceptions
#
# This file contains security findings that are intentionally accepted
# as exceptions due to technical requirements or business decisions.
# Each exception must be documented with clear rationale.
# ========================================================================
# S3 Replication Wildcard Exceptions
# ========================================================================
#
# AVD-AWS-0057: IAM policy should avoid use of wildcards
#
# EXCEPTION RATIONALE:
# - S3 Cross-Region Replication requires wildcard permissions on bucket objects
# - AWS Service requirement for replication functionality
# - Wildcards are scoped to specific S3 buckets only (not global wildcards)
# - Risk is mitigated by:
# * Replication role can only be assumed by S3 service
# * Actions are limited to replication-specific operations
# * Resources are constrained to known bucket ARNs
#
# REFERENCE: https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-iam-prerequisites.html
#
# Files affected:
# - modules/s3/main.tf (S3 replication policy)
#
AVD-AWS-0057
# ========================================================================
# S3 Access Logs Bucket Logging Exception
# ========================================================================
#
# AVD-AWS-0089: S3 Bucket Logging
#
# EXCEPTION RATIONALE:
# - Access logs bucket is the final destination for S3 logging
# - Adding logging to the logs bucket creates recursive complexity
# - CloudTrail provides comprehensive S3 API audit trails
# - Risk is low: access logs bucket contains only log files, not sensitive application data
# - Industry standard practice: log aggregation buckets typically don't log themselves
#
# ALTERNATIVE CONTROLS:
# - CloudTrail logs all S3 API operations including access to log buckets
# - VPC Flow Logs capture network-level access patterns
# - AWS Config monitors bucket configuration changes
#
# Files affected:
# - modules/s3/main.tf (access_logs bucket)
#
AVD-AWS-0089
# ========================================================================
# CloudFront Logging Dynamic Configuration Exception
# ========================================================================
#
# AVD-AWS-0010: CloudFront distribution should have Access Logging configured
#
# EXCEPTION RATIONALE:
# - CloudFront logging IS configured via dynamic configuration block
# - Trivy cannot evaluate dynamic blocks during static analysis
# - Logging is enabled when var.enable_access_logging = true
# - Logs are written to dedicated S3 access logs bucket
# - Configuration includes appropriate logging prefix for organization
#
# ACTUAL IMPLEMENTATION:
# - Dynamic "logging_config" block in modules/cloudfront/main.tf
# - Conditionally enabled based on var.enable_access_logging
# - Logs stored in separate S3 bucket for security isolation
# - Prefix-based log organization for analysis
#
# Files affected:
# - modules/cloudfront/main.tf (dynamic logging_config block)
#
AVD-AWS-0010
# ========================================================================
# S3 Public Website Hosting Feature Flag Exceptions
# ========================================================================
#
# AVD-AWS-0086: S3 block public ACL (block_public_acls)
# AVD-AWS-0087: S3 block public policy (block_public_policy)
# AVD-AWS-0091: S3 ignore public ACLs (ignore_public_acls)
# AVD-AWS-0093: S3 restrict public buckets (restrict_public_buckets)
#
# EXCEPTION RATIONALE:
# - Feature flag implementation enables S3-only static website hosting
# - When enable_cloudfront = false, S3 requires public access for direct hosting
# - Public access is intentionally enabled for cost optimization scenarios
# - Risk is mitigated by:
# * Public access only enabled when CloudFront is disabled (feature flag)
# * Bucket policy restricts access to GetObject on website content only
# * No administrative or PUT operations allowed via public access
# * Website content is static and non-sensitive by design
#
# BUSINESS JUSTIFICATION:
# - Cost optimization: S3-only hosting costs $1-5/month vs $20-35/month with CloudFront
# - Development environments benefit from simplified, cost-effective hosting
# - Production deployments can enable CloudFront for security and performance
#
# ALTERNATIVE CONTROLS:
# - CloudTrail monitors all S3 API operations
# - Bucket policy enforces read-only access to specific paths
# - Feature flags allow security upgrade when needed
# - AWS Config monitors bucket configuration changes
#
# Files affected:
# - modules/storage/s3-bucket/main.tf (conditional public access block)
#
AVD-AWS-0086
AVD-AWS-0087
AVD-AWS-0091
AVD-AWS-0093
# ========================================================================
# End of documented exceptions
# ========================================================================