diff --git a/aws/load_balancer/cloudfront.tf b/aws/load_balancer/cloudfront.tf index 744c58bd9..7db416a25 100644 --- a/aws/load_balancer/cloudfront.tf +++ b/aws/load_balancer/cloudfront.tf @@ -13,7 +13,6 @@ resource "aws_cloudfront_distribution" "maintenance_mode" { http_version = "http2" default_root_object = "index.html" # web_acl_id = aws_wafv2_web_acl.forms_acl.arn - We may want to create a new WAF2 web acl resource with a CLOUDFRONT scope just for this - aliases = var.domains price_class = "PriceClass_100" origin { diff --git a/aws/load_balancer/s3.tf b/aws/load_balancer/s3.tf index ace941742..1a351e931 100644 --- a/aws/load_balancer/s3.tf +++ b/aws/load_balancer/s3.tf @@ -1,4 +1,5 @@ resource "aws_s3_bucket" "maintenance_mode" { + # checkov:skip=CKV2_AWS_6: Public access block is define in a different resource # checkov:skip=CKV_AWS_18: Versioning not required # checkov:skip=CKV_AWS_19: False-positive, server side encryption is enabled but probably not detected because defined in a different Terraform resource # checkov:skip=CKV_AWS_21: Access logging not required @@ -19,11 +20,15 @@ resource "aws_s3_bucket_ownership_controls" "maintenance_mode" { } resource "aws_s3_bucket_public_access_block" "maintenance_mode" { + # checkov:skip=CKV_AWS_53: Ensure S3 bucket has block public ACLS enabled (not required) + # checkov:skip=CKV_AWS_54: Ensure S3 bucket has block public policy enabled (not required) + # checkov:skip=CKV_AWS_55: Ensure S3 bucket has ignore public ACLs enabled (not required) + # checkov:skip=CKV_AWS_56: Ensure S3 bucket has 'restrict_public_bucket' enabled (not required) bucket = aws_s3_bucket.maintenance_mode.id - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true + block_public_acls = false + block_public_policy = false + ignore_public_acls = false + restrict_public_buckets = false } resource "aws_s3_bucket_acl" "maintenance_mode" {