Create local IaC Exceptions
Copy link

When you use mimics in automated testing, such as CI/CD pipelines, you may need to silence specific Insight findings. For example, a legacy component may be noncompliant but can’t be fixed immediately. Local Exceptions allow teams to temporarily bypass certain findings so pipelines can continue to run. Exceptions apply to an entire IaC configuration, and you can view all findings with Exceptions from the scan list. To learn more about viewing and managing Exceptions, see Explore Exceptions for resources. To learn more about creating Exceptions in the user interface, also called Remote Exceptions, see Create remote IaC Exceptions

Prerequisites
Copy link

  • mimics setup and configured
  • A Cloud Security (InsightCloudSec) API key

Familiarity with the Cloud Security (InsightCloudSec) API is not required but helpful.

Add a Local Exception
Copy link

Local Exceptions for mimics are managed using the configuration file. Exceptions are configured per-Insight. Each Exception can have many resources associated with it and resources can be associated with multiple Exceptions.

To add a Local Exception:

  1. Open your mimics configuration file:

    vim $HOME/.mimics.yaml

  2. Add a Local Exception using the following format:

    scan:
exceptions:
  - insight_id: <insight-id> # example: backoffice:136
    resources:
      - <relative path to file>:<path to source of finding within file> # example: - cft/s3.yml:Resources.MyBucket
notes: <optional description or justification for exception>
ℹ️

Not sure how to find the Insight ID or path to the source?

You can use the /v2/public/insights/list endpoint in the Cloud Security (InsightCloudSec) API to find the needed Insight ID. All finding sources are listed in the mimics scan output. See Example for details.

Example
Copy link

In this example, you have two S3 buckets defined in a AWS CloudFormation Template:

  • The first bucket contains assets for internal use. Its contents should be encrypted, so mimics should be used to check for the proper encryption configuration.
  • The second bucket contains some JPEGs for use in a public-facing website, which should not be encrypted.
Resources:
  # Correctly generates a finding
  ShouldBeEncryptedBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'shouldbeencryptedbucket-${AWS::Region}-${AWS::AccountId}'
  # Generates a finding... but not for long
  PublicJpegBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'publicjpegbucket-${AWS::Region}-${AWS::AccountId}'

If you scan this file right now, you should see these results:

ℹ️

Scan configuration detail" "body": "The scan output example was generated using an IaC configuration defined with a single Insight. That configuration is not described here. See the [`mimics` documentation for CLI option details](/insightcloudsec/scanning-cft-and-terraform-commands-and-parameters#command-list--parameters).

$ mimics scan ./minimal_s3_for_exceptions.yml
scanning 100% |█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (1/1, 10 files/min)        
[FAIL][MEDIUM][Storage Container Without Server Side Encryption Enabled] in Resources.PublicJpegBucket                                                                                                                                                   
Source: Resources.PublicJpegBucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration (/Users/jsmith/code/examples/cloudformation/minimal_s3_for_exceptions.yml:20)
Recommendation: Configure the ServerSideEncryptionConfiguration property for each AWS::S3::Bucket resource
--- a///Users/jsmith/code/examples/cloudformation/minimal_s3_for_exceptions.yml
+++ b///Users/jsmith/code/examples/cloudformation/minimal_s3_for_exceptions.yml
@@ -19,3 +19,9 @@
     Type: "AWS::S3::Bucket"
     Properties:
       BucketName: !Sub 'publicjpegbucket-${AWS::Region}-${AWS::AccountId}'
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          BucketKeyEnabled: true
+          ServerSideEncryptionByDefault:
+            KMSMasterKeyID: <KMS-KEY-ARN-OR-ALIAS>
+            SSEAlgorithm: aws:kms
[FAIL][MEDIUM][Storage Container Without Server Side Encryption Enabled] in Resources.ShouldBeEncryptedBucket
Source: Resources.ShouldBeEncryptedBucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration (/Users/jsmith/code/csp-shiftleft-main/examples/cloudformation/minimal_s3_for_exceptions.yml:15)
Recommendation: Configure the ServerSideEncryptionConfiguration property for each AWS::S3::Bucket resource
--- a//Users/jsmith/code/examples/cloudformation/minimal_s3_for_exceptions.yml
+++ b//Users/jsmith/code/examples/cloudformation/minimal_s3_for_exceptions.yml
@@ -14,6 +14,12 @@
     Type: "AWS::S3::Bucket"
     Properties:
       BucketName: !Sub 'shouldbeencryptedbucket-${AWS::Region}-${AWS::AccountId}'
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          BucketKeyEnabled: true
+          ServerSideEncryptionByDefault:
+            KMSMasterKeyID: <KMS-KEY-ARN-OR-ALIAS>
+            SSEAlgorithm: aws:kms
   # Generates a finding... but not for long
   PublicJpegBucket:
     Type: "AWS::S3::Bucket"
Scan Summary:
Failed Insights.......1
Warned Insights.......0
Suppressed Findings...0
2023-01-19T13:12:45-05:00 INF Scan failed on one or more insights
exit status 1

You want to keep the second bucket un-encrypted for now, so you add a local Exception:

scan:
  exceptions:
    - insight_id: backoffice:136
      resources:
        - examples/configuration/minimal_s3_for_exceptions.yml:Resources.PublicJpegBucket
      notes: Image-hosting bucket intentionally left unencrypted

If you scan the file again, you see one only failed resource:

ℹ️

Want to see your Exceptions?

You can confirm any triggered Exceptions using the --show-exceptions flag.

$ mimics scan ./minimal_s3_for_exceptions.yml
scanning 100% |█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| (1/1, 10 files/min)        
[FAIL][MEDIUM][Storage Container Without Server Side Encryption Enabled] in Resources.ShouldBeEncryptedBucket
Source: Resources.ShouldBeEncryptedBucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration (/Users/jsmith/code/examples/cloudformation/minimal_s3_for_exceptions.yml:5)
Recommendation: Configure the ServerSideEncryptionConfiguration property for each AWS::S3::Bucket resource
 
--- a//Users/jsmith/code/examples/cloudformation/minimal_s3_for_exceptions.yml
+++ b//Users/jsmith/code/examples/cloudformation/minimal_s3_for_exceptions.yml
@@ -4,6 +4,12 @@
     Type: "AWS::S3::Bucket"
     Properties:
       BucketName: !Sub 'shouldbeencryptedbucket-${AWS::Region}-${AWS::AccountId}'
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          BucketKeyEnabled: true
+          ServerSideEncryptionByDefault:
+            KMSMasterKeyID: <KMS-KEY-ARN-OR-ALIAS>
+            SSEAlgorithm: aws:kms
   # Generates a finding... but not for long
   PublicJpegBucket:
     Type: "AWS::S3::Bucket"
 
Scan Summary:
Failed Insights.......1
Warned Insights.......0
Suppressed Findings...0
2023-01-23T10:35:56-05:00 INF Scan failed on one or more insights
exit status 1
 
$