feat(terraform): PC Policy Team Yaml Policies Check-in

[ssiddardha]

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

This PR has 3 Yaml - based checks with detailed description below

Checkov Title: Ensure an IAM role is attached to EC2 instance

PC Title - AWS EC2 Instance IAM Role not enabled

PC Policy ID - 8f2a2ff7-b484-463d-95df-aecd038f62b0

Compliance Standard - ACSC Information Security Manual (ISM)-ISM-1566, API Auto Clone of PIPEDA-4.7.3, APRA (CPS 234) Information Security-CPS234-14, APRA (CPS 234) Information Security-CPS234-23, APRA (CPS 234) Information Security-CPS234-27, APRA (CPS 234) Information Security-CPS234-34, Australian Cyber Security Centre (ACSC) Essential Eight-Restrict administrative privileges, Australian Energy Sector Cyber Security Framework (AESCSF)-IAM-2D, Australian Energy Sector Cyber Security Framework (AESCSF)-IAM-2F, Brazilian Data Protection Law (LGPD)-Article 49, CCPA 2018-1798.150(a)(1), CIS Controls v7.1-19.2, CIS Controls v8-6.8, CIS v1.2.0 (AWS)-1.19, CIS v1.3.0 (AWS)-1.18, CIS v1.4.0 (AWS)-1.18, CIS v1.5.0 (AWS) - Level 2-1.18, CSA CCM v.4.0.1-DSP-17, CSA CCM v.4.0.1-IAM-04, CSA CCM v.4.0.1-IAM-05, CSA CCM v.4.0.1-IAM-09, CSA CCM v.4.0.1-IAM-16, Copy of 1Copy of Brazilian Data Protection Law (LGPD)-Article 49, Copy of APRA (CPS 234) Information Security-CPS234-14, Copy of APRA (CPS 234) Information Security-CPS234-23, Copy of APRA (CPS 234) Information Security-CPS234-27, Copy of APRA (CPS 234) Information Security-CPS234-34, Copy of Brazilian Data Protection Law (LGPD)-Article 49, CyberSecurity Law of the People's Republic of China-Article 30, CyberSecurity Law of the People's Republic of China-Article 31, CyberSecurity Law of the People's Republic of China-Article 41, CyberSecurity Law of the People's Republic of China-Article 43, CyberSecurity Law of the People's Republic of China-Article 44, CyberSecurity Law of the People's Republic of China-Article 45, Cybersecurity Maturity Model Certification (CMMC) v.1.02-AC.2.007, Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)-AC.L1-3.1.2, FFIEC-D1.R.St.B.1, FFIEC-D3.PC.Am.B.1, FFIEC-D3.PC.Am.B.2, FFIEC-D3.PC.Am.B.4, HITRUST CSF v.9.6.0-11.a, HITRUST v.9.4.2-Control Reference:01.c, ISO/IEC 27002:2013-18.1.3, ISO/IEC 27002:2013-18.1.4, ISO/IEC 27002:2013-6.1.2, ISO/IEC 27002:2013-9.1.1, ISO/IEC 27002:2013-9.1.2, ISO/IEC 27002:2013-9.2.3, ISO/IEC 27002:2013-9.2.5, ISO/IEC 27017:2015-9.2.3, ISO/IEC 27017:2015-9.2.5, ISO/IEC 27018:2019-9.2.3, ISO/IEC 27018:2019-9.2.5, MAS TRM 2021-9.1.1, MITRE ATT&CK v10.0-T1098 - Account Manipulation, MITRE ATT&CK v6.3-T1098, MITRE ATT&CK v6.3-T1098, MITRE ATT&CK v8.2-T1098, MLPS 2.0-8.2.4.1, NIST 800-53 Rev 5-Access Enforcement | Role-based Access Control, NIST 800-53 Rev4-AC-3 (7), NIST CSF-PR.AC-4, NIST SP 800-171 Revision 2-3.1.5, NIST SP 800-172-3.1.2e, PCI DSS v3.2.1-7.1, PCI DSS v3.2.1-7.1.2, PCI DSS v4.0-10.3.1, PCI DSS v4.0-7.1.1, PCI DSS v4.0-7.2.1, PCI DSS v4.0-7.2.2, PCI DSS v4.0-7.2.4, PCI DSS v4.0-7.2.6, PCI DSS v4.0-7.3.1, PCI DSS v4.0-7.3.2, PIPEDA-4.7.3, Risk Management in Technology (RMiT)-10.55, TestCompliance-CPS234-14, TestCompliance-CPS234-23, TestCompliance-CPS234-27, TestCompliance-CPS234-34

Remediation Steps:
The most common setup is the AWS default that allows for EC2 access to AWS Services. For most, this is a great way to realize flexible, yet secure, EC2 access enabled for your instances. Select this when you launch EC2 instances to automatically inherit these permissions.

IAM

1. Go to the AWS console IAM dashboard.
2. In the navigation pane, choose Roles, Create new role.
3. Under 'Choose the service that will use this role' select EC2, then 'Next:Permissions.'
4. On the Attach permissions policies page, select an AWS managed policy that grants your instance access to the
   resources that they need, then 'Next:Tags.'
5. Add tags (optional), the select 'Next:Review.'
6. On the Create role and Review page, type a name for the role and choose Create role.

EC2

1. Go to the AWS console EC2 dashboard.
2. Select Running Instances.
3. Check the instance you want to modify.
4. From the Actions pull down menu, select Instance Settings and Attach/Replace IAM Role.
5. On the Attach/Replace IAM Role page, under the IAM role pull down menu, choose the role created in the IAM steps
   above.

Checkov Title: GCP Cloud Function HTTP trigger is secured

PC Policy ID - 4eab897c-f9a8-439d-b3d5-ac48f5d827e7

PC Policy Title - GCP Cloud Function HTTP trigger is not secured

Compliance Standard - ACSC Information Security Manual (ISM)-ISM-0469, ACSC Information Security Manual (ISM)-ISM-1552, CIS Controls v7.1-14.4, CIS Controls v7.1-16.5, CIS Controls v8-3.10, FFIEC-D1.RM.Au.B.2, New Zealand Information Security Manual (NZISM v3.4)-17.4, PCI DSS v4.0-2.2.7, PCI DSS v4.0-4.1.1, PCI DSS v4.0-4.2.1, PCI DSS v4.0-4.2.1.2, PCI DSS v4.0-4.2.2, PCI DSS v4.0-8.3.2

Remediation Steps:

1. Login to GCP console
2. Navigate to 'Cloud Functions' service (Left Panel)
3. Click on the alerting function
4. Click on 'EDIT'
5. Under section 'Trigger', click on 'EDIT'
6. Select the checkbox against the field 'Require HTTPS'
7. Click on 'SAVE'
8. Click on 'NEXT'
9. Click on 'DEPLOY'

Checkov Title: GCP GCR Container Vulnerability Scanning is enabled

PC Policy ID - 0367679b-7384-4d67-9673-22e6ba99719e

PC Policy Title - GCP GCR Container Vulnerability Scanning is disabled

Compliance Standard - ACSC Information Security Manual (ISM)-ISM-1698, Australian Energy Sector Cyber Security Framework (AESCSF)-TVM-AP2, CIS Controls v7.1-3.1, CIS Controls v7.1-3.2, CIS Controls v8-10.4, CSA CCM v.4.0.1-A&A-03, CSA CCM v.4.0.1-AIS-01, CSA CCM v.4.0.1-AIS-02, CSA CCM v.4.0.1-AIS-04, CSA CCM v.4.0.1-CCC-01, CSA CCM v.4.0.1-DSP-01, CSA CCM v.4.0.1-DSP-04, CSA CCM v.4.0.1-GRC-03, CSA CCM v.4.0.1-IVS-04, CSA CCM v.4.0.1-TVM-01, CSA CCM v.4.0.1-TVM-07, CSA CCM v.4.0.1-TVM-08, CSA CCM v.4.0.1-TVM-09, CSA CCM v.4.0.1-TVM-10, CSA CCM v.4.0.1-UEM-03, CSA CCM v.4.0.1-UEM-06, HITRUST v.9.4.2-Control Reference:10.m, ISO/IEC 27002:2013-12.1.1, ISO/IEC 27002:2013-12.1.2, ISO/IEC 27002:2013-12.6.1, ISO/IEC 27002:2013-14.1.1, ISO/IEC 27002:2013-14.1.2, ISO/IEC 27002:2013-14.2.1, ISO/IEC 27002:2013-14.2.2, ISO/IEC 27002:2013-14.2.4, ISO/IEC 27002:2013-16.1.2, ISO/IEC 27002:2013-16.1.3, ISO/IEC 27002:2013-18.2.1, ISO/IEC 27002:2013-5.1.1, ISO/IEC 27002:2013-5.1.2, ISO/IEC 27002:2013-8.2.1, ISO/IEC 27017:2015-12.1.2, ISO/IEC 27017:2015-14.1.1, ISO/IEC 27017:2015-14.1.2, ISO/IEC 27017:2015-14.2.1, ISO/IEC 27017:2015-14.2.5, ISO/IEC 27017:2015-5.1.1, ISO/IEC 27018:2019-12.1.2, ISO/IEC 27018:2019-18.2.1, NIST CSF-DE.AE-4, NIST CSF-DE.CM-8, NIST CSF-ID.RA-1, NIST CSF-ID.RA-3, NIST CSF-ID.RA-4, NIST CSF-ID.RA-5, NIST CSF-PR.IP-1, NIST CSF-RS.AN-2, NIST CSF-RS.MI-3, NIST SP 800-171 Revision 2-3.11.1, NIST SP 800-171 Revision 2-3.11.2, NIST SP 800-172-3.12.1e, New Zealand Information Security Manual (NZISM v3.4)-12.4, PCI DSS v3.2.1-6.1, PCI DSS v3.2.1-6.2, PCI DSS v4.0-5.3.3

Remediation Steps:
1. Login to the GCP console
2. For the reported account, navigate to the GCP service 'Container Registry'(Left Panel)
    3. Select the tab 'Settings'
4. To enable the vulnerability scanning, click on the 'TURN ON' button.

[gruebel]

nice, good job 🏅

[ssiddardha]

nice, good job 🏅

Thanks @gruebel for your valuable suggestions and timely review