Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

move to one lb #6377

Merged
merged 3 commits into from
Jun 3, 2024
Merged

move to one lb #6377

merged 3 commits into from
Jun 3, 2024

Conversation

georgepstaylor
Copy link
Member

No description provided.

@georgepstaylor georgepstaylor requested review from a team as code owners June 3, 2024 14:03
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jun 3, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 3, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-jitbit

Running Trivy in terraform/environments/delius-jitbit
2024-06-03T14:05:48Z INFO Need to update DB
2024-06-03T14:05:48Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-03T14:05:50Z INFO Vulnerability scanning is enabled
2024-06-03T14:05:50Z INFO Misconfiguration scanning is enabled
2024-06-03T14:05:50Z INFO Need to update the built-in policies
2024-06-03T14:05:50Z INFO Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-03T14:05:50Z INFO Secret scanning is enabled
2024-06-03T14:05:50Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-03T14:05:50Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-03T14:05:53Z INFO Number of language-specific files num=0
2024-06-03T14:05:53Z INFO Detected config files num=15

ecs.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:70
via ecs.tf:64-72 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
64 resource "aws_security_group_rule" "allow_all_egress" {
65 description = "Allow all outbound traffic to any IPv4 address"
66 type = "egress"
67 from_port = 0
68 to_port = 0
69 protocol = "-1"
70 [ cidr_blocks = ["0.0.0.0/0"]
71 security_group_id = aws_security_group.jitbit.id
72 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
via s3.tf:1-84 (module.jitbit_bucket)
────────────────────────────────────────
157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
158 │ bucket = aws_s3_bucket.default.id
159 │ rule {
160 │ apply_server_side_encryption_by_default {
161 │ sse_algorithm = var.sse_algorithm
162 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
163 │ }
164 │ }
165 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
via ecs.tf:11-51 (module.s3_bucket_app_deployment)
────────────────────────────────────────
157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
158 │ bucket = aws_s3_bucket.default.id
159 │ rule {
160 │ apply_server_side_encryption_by_default {
161 │ sse_algorithm = var.sse_algorithm
162 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
163 │ }
164 │ }
165 └ }
────────────────────────────────────────

iam.tf (terraform)

Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lb.tf (terraform)

Tests: 10 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 1)
Failures: 6 (HIGH: 0, CRITICAL: 6)

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:7ff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:3fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:7fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:7ff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:6-8
────────────────────────────────────────
6 ┌ resource "aws_sns_topic" "jitbit_alerting" {
7 │ name = "jitbit_alerting"
8 └ }
────────────────────────────────────────

ses.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ses_bounce.tf (terraform)

Tests: 6 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ses_bounce.tf:1-5
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
2 │ name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
3 │
4 │ tags = local.tags
5 └ }
────────────────────────────────────────

ses_logging.tf (terraform)

Tests: 5 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ses_logging.tf:4-8
────────────────────────────────────────
4 ┌ resource "aws_sns_topic" "jitbit_ses_destination_topic" {
5 │ name = format("%s-ses-destination-topic", local.application_name)
6 │
7 │ tags = local.tags
8 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running Checkov in terraform/environments/delius-jitbit
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-03 14:05:56,485 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:05:56,485 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:05:56,485 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:05:56,485 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:05:56,485 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 316, Failed checks: 69, Skipped checks: 18

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:6-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "bastion_linux" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "bastion"
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   # custom scaling schedule
		33 |   autoscaling_cron = {
		34 |     "down" : "0 21 * * *",
		35 |     "up" : "0 05 * * *"
		36 |   }
		37 | 
		38 |   # Tags
		39 |   tags_common = local.tags
		40 |   tags_prefix = terraform.workspace
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		3 | 
		4 |   environment = local.environment
		5 |   name        = local.application_name
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ecs.tf:11-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		11 | module "s3_bucket_app_deployment" {
		12 | 
		13 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		14 | 
		15 |   providers = {
		16 |     aws.bucket-replication = aws
		17 |   }
		18 |   bucket_name        = "${local.application_name}-${local.environment}-deployment"
		19 |   versioning_enabled = true
		20 | 
		21 |   ownership_controls = "BucketOwnerEnforced"
		22 | 
		23 |   lifecycle_rule = [
		24 |     {
		25 |       id      = "main"
		26 |       enabled = "Enabled"
		27 |       prefix  = ""
		28 | 
		29 |       tags = {
		30 |         rule      = "log"
		31 |         autoclean = "true"
		32 |       }
		33 | 
		34 |       noncurrent_version_transition = [
		35 |         {
		36 |           days          = 90
		37 |           storage_class = "STANDARD_IA"
		38 |           }, {
		39 |           days          = 365
		40 |           storage_class = "GLACIER"
		41 |         }
		42 |       ]
		43 | 
		44 |       noncurrent_version_expiration = {
		45 |         days = 730
		46 |       }
		47 |     }
		48 |   ]
		49 | 
		50 |   tags = local.tags
		51 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_alerting
	File: /monitoring.tf:6-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6 | resource "aws_sns_topic" "jitbit_alerting" {
		7 |   name = "jitbit_alerting"
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:37-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "pagerduty_core_alerts" {
		38 |   depends_on = [
		39 |     aws_sns_topic.jitbit_alerting
		40 |   ]
		41 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		42 |   sns_topics                = [aws_sns_topic.jitbit_alerting.name]
		43 |   pagerduty_integration_key = local.pagerduty_integration_key
		44 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket
	File: /s3.tf:1-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_sandbox
	File: /sandbox_ecs.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "ecs_sandbox" {
		2  |   count = local.is-development ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		5  | 
		6  |   environment = local.environment
		7  |   name        = "${local.application_name}-sandbox"
		8  | 
		9  |   tags = local.tags
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment_sandbox
	File: /sandbox_ecs.tf:12-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "s3_bucket_app_deployment_sandbox" {
		13 |   count = local.is-development ? 1 : 0
		14 | 
		15 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		16 | 
		17 |   providers = {
		18 |     aws.bucket-replication = aws
		19 |   }
		20 |   bucket_name        = "${local.application_name}-sandbox-deployment"
		21 |   versioning_enabled = true
		22 | 
		23 |   ownership_controls = "BucketOwnerEnforced"
		24 | 
		25 |   lifecycle_rule = [
		26 |     {
		27 |       id      = "main"
		28 |       enabled = "Enabled"
		29 |       prefix  = ""
		30 | 
		31 |       tags = {
		32 |         rule      = "log"
		33 |         autoclean = "true"
		34 |       }
		35 | 
		36 |       noncurrent_version_transition = [
		37 |         {
		38 |           days          = 90
		39 |           storage_class = "STANDARD_IA"
		40 |           }, {
		41 |           days          = 365
		42 |           storage_class = "GLACIER"
		43 |         }
		44 |       ]
		45 | 
		46 |       noncurrent_version_expiration = {
		47 |         days = 730
		48 |       }
		49 |     }
		50 |   ]
		51 | 
		52 |   tags = local.tags
		53 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket_sandbox
	File: /sandbox_s3.tf:1-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.jitbit_ses_smtp_user
	File: /ses.tf:101-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		101 | resource "aws_iam_user" "jitbit_ses_smtp_user" {
		102 |   name = "${local.environment}-jitbit-smtp-user"
		103 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jitbit_ses_smtp_user
	File: /ses.tf:128-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		128 | resource "aws_ssm_parameter" "jitbit_ses_smtp_user" {
		129 |   name = "/${local.environment}/jitbit/ses_smtp"
		130 |   type = "SecureString"
		131 |   value = jsonencode({
		132 |     user              = aws_iam_user.jitbit_ses_smtp_user.name,
		133 |     key               = aws_iam_access_key.jitbit_ses_smtp_user.id,
		134 |     secret            = aws_iam_access_key.jitbit_ses_smtp_user.secret
		135 |     ses_smtp_user     = aws_iam_access_key.jitbit_ses_smtp_user.id
		136 |     ses_smtp_password = aws_iam_access_key.jitbit_ses_smtp_user.ses_smtp_password_v4
		137 |   })
		138 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  |   
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  |   
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic_bounce_email_notification
	File: /ses_bounce.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
		2 |   name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
		3 | 
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_28: "Ensure DynamoDB point in time recovery (backup) is enabled"
	FAILED for resource: aws_dynamodb_table.bounce_email_notification
	File: /ses_bounce.tf:126-147
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-6

		126 | resource "aws_dynamodb_table" "bounce_email_notification" {
		127 |   name           = "bounce_email_notification"
		128 |   billing_mode   = "PAY_PER_REQUEST"
		129 |   hash_key       = "email_ticket_id"
		130 | 
		131 |   server_side_encryption {
		132 |     enabled = true
		133 |     kms_key_arn = data.aws_kms_key.general_shared.arn
		134 |   }
		135 | 
		136 |   ttl {
		137 |     attribute_name = "expireAt"
		138 |     enabled = true
		139 |   }
		140 | 
		141 |   attribute {
		142 |     name = "email_ticket_id"
		143 |     type = "S"
		144 |   }
		145 | 
		146 |   tags = local.tags
		147 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic
	File: /ses_logging.tf:4-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		4 | resource "aws_sns_topic" "jitbit_ses_destination_topic" {
		5 |   name = format("%s-ses-destination-topic", local.application_name)
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.sns_logs
	File: /ses_logging.tf:59-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		59 | resource "aws_cloudwatch_log_group" "sns_logs" {
		60 |   name              = format("%s-ses-logs", local.application_name)
		61 |   retention_in_days = local.application_data.accounts[local.environment].lambda_log_retention_days
		62 | 
		63 |   tags = local.tags
		64 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.this
	File: /waf.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.waf
	File: /waf.tf:59-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		59 | resource "aws_cloudwatch_log_group" "waf" {
		60 |   name              = "aws-waf-logs-${local.application_name}"
		61 |   retention_in_days = 60
		62 |   tags              = local.tags
		63 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.waf
	File: /waf.tf:59-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		59 | resource "aws_cloudwatch_log_group" "waf" {
		60 |   name              = "aws-waf-logs-${local.application_name}"
		61 |   retention_in_days = 60
		62 |   tags              = local.tags
		63 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string_sandbox
	File: /sandbox_secrets.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2  | resource "aws_secretsmanager_secret" "db_app_connection_string_sandbox" {
		3  |   count = local.is-development ? 1 : 0
		4  |   #checkov:skip=CKV_AWS_149
		5  |   name                    = "${var.networking[0].application}-app-connection-string-sandbox"
		6  |   recovery_window_in_days = 0
		7  |   tags = merge(
		8  |     local.tags,
		9  |     {
		10 |       Name = "${var.networking[0].application}-app-connection-string-sandbox"
		11 |     },
		12 |   )
		13 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		5  | resource "aws_secretsmanager_secret" "db_app_connection_string" {
		6  |   #checkov:skip=CKV_AWS_149
		7  |   name                    = "${var.networking[0].application}-app-connection-string"
		8  |   recovery_window_in_days = 0
		9  |   tags = merge(
		10 |     local.tags,
		11 |     {
		12 |       Name = "${var.networking[0].application}-app-connection-string"
		13 |     },
		14 |   )
		15 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit
	File: /ecs.tf:53-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		53 | resource "aws_security_group" "jitbit" {
		54 |   vpc_id      = data.aws_vpc.shared.id
		55 |   name        = format("hmpps-%s-%s-service", local.environment, local.application_name)
		56 |   description = "Security group for the ${local.application_name} service"
		57 |   tags        = local.tags
		58 | 
		59 |   lifecycle {
		60 |     create_before_destroy = true
		61 |   }
		62 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit_sandbox
	File: /sandbox_ecs.tf:55-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		55 | resource "aws_security_group" "jitbit_sandbox" {
		56 |   count = local.is-development ? 1 : 0
		57 | 
		58 |   vpc_id      = data.aws_vpc.shared.id
		59 |   name        = format("hmpps-%s-%s-service", "sandbox", local.application_name)
		60 |   description = "Security group for the ${local.application_name} service"
		61 |   tags        = local.tags
		62 | 
		63 |   lifecycle {
		64 |     create_before_destroy = true
		65 |   }
		66 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running tflint in terraform/environments/delius-jitbit
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-jitbit/ses_bounce.tf line 23:
  23: data "archive_file" "lambda_function_payload_bounce_email_notification" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running Trivy in terraform/environments/delius-jitbit
2024-06-03T14:05:48Z	INFO	Need to update DB
2024-06-03T14:05:48Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-03T14:05:50Z	INFO	Vulnerability scanning is enabled
2024-06-03T14:05:50Z	INFO	Misconfiguration scanning is enabled
2024-06-03T14:05:50Z	INFO	Need to update the built-in policies
2024-06-03T14:05:50Z	INFO	Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-03T14:05:50Z	INFO	Secret scanning is enabled
2024-06-03T14:05:50Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-03T14:05:50Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-03T14:05:53Z	INFO	Number of language-specific files	num=0
2024-06-03T14:05:53Z	INFO	Detected config files	num=15

ecs.tf (terraform)
==================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:70
   via ecs.tf:64-72 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  64   resource "aws_security_group_rule" "allow_all_egress" {
  65     description       = "Allow all outbound traffic to any IPv4 address"
  66     type              = "egress"
  67     from_port         = 0
  68     to_port           = 0
  69     protocol          = "-1"
  70 [   cidr_blocks       = ["0.0.0.0/0"]
  71     security_group_id = aws_security_group.jitbit.id
  72   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf (terraform)
======================================================================================================
Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
   via s3.tf:1-84 (module.jitbit_bucket)
────────────────────────────────────────
 157resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 158 │   bucket = aws_s3_bucket.default.id
 159 │   rule {
 160 │     apply_server_side_encryption_by_default {
 161 │       sse_algorithm     = var.sse_algorithm
 162 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 163 │     }
 164 │   }
 165 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
   via ecs.tf:11-51 (module.s3_bucket_app_deployment)
────────────────────────────────────────
 157resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 158 │   bucket = aws_s3_bucket.default.id
 159 │   rule {
 160 │     apply_server_side_encryption_by_default {
 161 │       sse_algorithm     = var.sse_algorithm
 162 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 163 │     }
 164 │   }
 165 └ }
────────────────────────────────────────



iam.tf (terraform)
==================
Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lb.tf (terraform)
=================
Tests: 10 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 1)
Failures: 6 (HIGH: 0, CRITICAL: 6)

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:7ff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:3fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:7fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:7ff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:6-8
────────────────────────────────────────
   6resource "aws_sns_topic" "jitbit_alerting" {
   7 │   name = "jitbit_alerting"
   8 └ }
────────────────────────────────────────



ses.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ses_bounce.tf (terraform)
=========================
Tests: 6 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ses_bounce.tf:1-5
────────────────────────────────────────
   1resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
   2 │   name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
   34 │   tags = local.tags
   5 └ }
────────────────────────────────────────



ses_logging.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ses_logging.tf:4-8
────────────────────────────────────────
   4resource "aws_sns_topic" "jitbit_ses_destination_topic" {
   5 │   name = format("%s-ses-destination-topic", local.application_name)
   67 │   tags = local.tags
   8 └ }
────────────────────────────────────────


trivy_exitcode=1

@georgepstaylor georgepstaylor had a problem deploying to delius-jitbit-development June 3, 2024 14:13 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 3, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-jitbit

Running Trivy in terraform/environments/delius-jitbit
2024-06-03T14:13:31Z INFO Need to update DB
2024-06-03T14:13:31Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-03T14:13:33Z INFO Vulnerability scanning is enabled
2024-06-03T14:13:33Z INFO Misconfiguration scanning is enabled
2024-06-03T14:13:33Z INFO Need to update the built-in policies
2024-06-03T14:13:33Z INFO Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-03T14:13:33Z INFO Secret scanning is enabled
2024-06-03T14:13:33Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-03T14:13:33Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-03T14:13:37Z INFO Number of language-specific files num=0
2024-06-03T14:13:37Z INFO Detected config files num=15

ecs.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:70
via ecs.tf:64-72 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
64 resource "aws_security_group_rule" "allow_all_egress" {
65 description = "Allow all outbound traffic to any IPv4 address"
66 type = "egress"
67 from_port = 0
68 to_port = 0
69 protocol = "-1"
70 [ cidr_blocks = ["0.0.0.0/0"]
71 security_group_id = aws_security_group.jitbit.id
72 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
via s3.tf:1-84 (module.jitbit_bucket)
────────────────────────────────────────
157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
158 │ bucket = aws_s3_bucket.default.id
159 │ rule {
160 │ apply_server_side_encryption_by_default {
161 │ sse_algorithm = var.sse_algorithm
162 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
163 │ }
164 │ }
165 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
via ecs.tf:11-51 (module.s3_bucket_app_deployment)
────────────────────────────────────────
157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
158 │ bucket = aws_s3_bucket.default.id
159 │ rule {
160 │ apply_server_side_encryption_by_default {
161 │ sse_algorithm = var.sse_algorithm
162 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
163 │ }
164 │ }
165 └ }
────────────────────────────────────────

iam.tf (terraform)

Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lb.tf (terraform)

Tests: 10 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 1)
Failures: 6 (HIGH: 0, CRITICAL: 6)

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:7ff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:3fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:7fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:7ff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:6-8
────────────────────────────────────────
6 ┌ resource "aws_sns_topic" "jitbit_alerting" {
7 │ name = "jitbit_alerting"
8 └ }
────────────────────────────────────────

ses.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ses_bounce.tf (terraform)

Tests: 6 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ses_bounce.tf:1-5
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
2 │ name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
3 │
4 │ tags = local.tags
5 └ }
────────────────────────────────────────

ses_logging.tf (terraform)

Tests: 5 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ses_logging.tf:4-8
────────────────────────────────────────
4 ┌ resource "aws_sns_topic" "jitbit_ses_destination_topic" {
5 │ name = format("%s-ses-destination-topic", local.application_name)
6 │
7 │ tags = local.tags
8 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running Checkov in terraform/environments/delius-jitbit
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-03 14:13:39,822 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:13:39,822 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:13:39,822 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:13:39,822 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:13:39,823 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 316, Failed checks: 69, Skipped checks: 18

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:6-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "bastion_linux" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "bastion"
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   # custom scaling schedule
		33 |   autoscaling_cron = {
		34 |     "down" : "0 21 * * *",
		35 |     "up" : "0 05 * * *"
		36 |   }
		37 | 
		38 |   # Tags
		39 |   tags_common = local.tags
		40 |   tags_prefix = terraform.workspace
		41 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		3 | 
		4 |   environment = local.environment
		5 |   name        = local.application_name
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ecs.tf:11-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		11 | module "s3_bucket_app_deployment" {
		12 | 
		13 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		14 | 
		15 |   providers = {
		16 |     aws.bucket-replication = aws
		17 |   }
		18 |   bucket_name        = "${local.application_name}-${local.environment}-deployment"
		19 |   versioning_enabled = true
		20 | 
		21 |   ownership_controls = "BucketOwnerEnforced"
		22 | 
		23 |   lifecycle_rule = [
		24 |     {
		25 |       id      = "main"
		26 |       enabled = "Enabled"
		27 |       prefix  = ""
		28 | 
		29 |       tags = {
		30 |         rule      = "log"
		31 |         autoclean = "true"
		32 |       }
		33 | 
		34 |       noncurrent_version_transition = [
		35 |         {
		36 |           days          = 90
		37 |           storage_class = "STANDARD_IA"
		38 |           }, {
		39 |           days          = 365
		40 |           storage_class = "GLACIER"
		41 |         }
		42 |       ]
		43 | 
		44 |       noncurrent_version_expiration = {
		45 |         days = 730
		46 |       }
		47 |     }
		48 |   ]
		49 | 
		50 |   tags = local.tags
		51 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:37-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "pagerduty_core_alerts" {
		38 |   depends_on = [
		39 |     aws_sns_topic.jitbit_alerting
		40 |   ]
		41 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		42 |   sns_topics                = [aws_sns_topic.jitbit_alerting.name]
		43 |   pagerduty_integration_key = local.pagerduty_integration_key
		44 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_alerting
	File: /monitoring.tf:6-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6 | resource "aws_sns_topic" "jitbit_alerting" {
		7 |   name = "jitbit_alerting"
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket
	File: /s3.tf:1-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_sandbox
	File: /sandbox_ecs.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "ecs_sandbox" {
		2  |   count = local.is-development ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		5  | 
		6  |   environment = local.environment
		7  |   name        = "${local.application_name}-sandbox"
		8  | 
		9  |   tags = local.tags
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment_sandbox
	File: /sandbox_ecs.tf:12-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "s3_bucket_app_deployment_sandbox" {
		13 |   count = local.is-development ? 1 : 0
		14 | 
		15 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		16 | 
		17 |   providers = {
		18 |     aws.bucket-replication = aws
		19 |   }
		20 |   bucket_name        = "${local.application_name}-sandbox-deployment"
		21 |   versioning_enabled = true
		22 | 
		23 |   ownership_controls = "BucketOwnerEnforced"
		24 | 
		25 |   lifecycle_rule = [
		26 |     {
		27 |       id      = "main"
		28 |       enabled = "Enabled"
		29 |       prefix  = ""
		30 | 
		31 |       tags = {
		32 |         rule      = "log"
		33 |         autoclean = "true"
		34 |       }
		35 | 
		36 |       noncurrent_version_transition = [
		37 |         {
		38 |           days          = 90
		39 |           storage_class = "STANDARD_IA"
		40 |           }, {
		41 |           days          = 365
		42 |           storage_class = "GLACIER"
		43 |         }
		44 |       ]
		45 | 
		46 |       noncurrent_version_expiration = {
		47 |         days = 730
		48 |       }
		49 |     }
		50 |   ]
		51 | 
		52 |   tags = local.tags
		53 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket_sandbox
	File: /sandbox_s3.tf:1-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.jitbit_ses_smtp_user
	File: /ses.tf:101-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		101 | resource "aws_iam_user" "jitbit_ses_smtp_user" {
		102 |   name = "${local.environment}-jitbit-smtp-user"
		103 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jitbit_ses_smtp_user
	File: /ses.tf:128-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		128 | resource "aws_ssm_parameter" "jitbit_ses_smtp_user" {
		129 |   name = "/${local.environment}/jitbit/ses_smtp"
		130 |   type = "SecureString"
		131 |   value = jsonencode({
		132 |     user              = aws_iam_user.jitbit_ses_smtp_user.name,
		133 |     key               = aws_iam_access_key.jitbit_ses_smtp_user.id,
		134 |     secret            = aws_iam_access_key.jitbit_ses_smtp_user.secret
		135 |     ses_smtp_user     = aws_iam_access_key.jitbit_ses_smtp_user.id
		136 |     ses_smtp_password = aws_iam_access_key.jitbit_ses_smtp_user.ses_smtp_password_v4
		137 |   })
		138 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  |   
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  |   
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic_bounce_email_notification
	File: /ses_bounce.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
		2 |   name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
		3 | 
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_28: "Ensure DynamoDB point in time recovery (backup) is enabled"
	FAILED for resource: aws_dynamodb_table.bounce_email_notification
	File: /ses_bounce.tf:126-147
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-6

		126 | resource "aws_dynamodb_table" "bounce_email_notification" {
		127 |   name           = "bounce_email_notification"
		128 |   billing_mode   = "PAY_PER_REQUEST"
		129 |   hash_key       = "email_ticket_id"
		130 | 
		131 |   server_side_encryption {
		132 |     enabled = true
		133 |     kms_key_arn = data.aws_kms_key.general_shared.arn
		134 |   }
		135 | 
		136 |   ttl {
		137 |     attribute_name = "expireAt"
		138 |     enabled = true
		139 |   }
		140 | 
		141 |   attribute {
		142 |     name = "email_ticket_id"
		143 |     type = "S"
		144 |   }
		145 | 
		146 |   tags = local.tags
		147 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic
	File: /ses_logging.tf:4-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		4 | resource "aws_sns_topic" "jitbit_ses_destination_topic" {
		5 |   name = format("%s-ses-destination-topic", local.application_name)
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.sns_logs
	File: /ses_logging.tf:59-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		59 | resource "aws_cloudwatch_log_group" "sns_logs" {
		60 |   name              = format("%s-ses-logs", local.application_name)
		61 |   retention_in_days = local.application_data.accounts[local.environment].lambda_log_retention_days
		62 | 
		63 |   tags = local.tags
		64 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.this
	File: /waf.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.waf
	File: /waf.tf:59-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		59 | resource "aws_cloudwatch_log_group" "waf" {
		60 |   name              = "aws-waf-logs-${local.application_name}"
		61 |   retention_in_days = 60
		62 |   tags              = local.tags
		63 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.waf
	File: /waf.tf:59-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		59 | resource "aws_cloudwatch_log_group" "waf" {
		60 |   name              = "aws-waf-logs-${local.application_name}"
		61 |   retention_in_days = 60
		62 |   tags              = local.tags
		63 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string_sandbox
	File: /sandbox_secrets.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2  | resource "aws_secretsmanager_secret" "db_app_connection_string_sandbox" {
		3  |   count = local.is-development ? 1 : 0
		4  |   #checkov:skip=CKV_AWS_149
		5  |   name                    = "${var.networking[0].application}-app-connection-string-sandbox"
		6  |   recovery_window_in_days = 0
		7  |   tags = merge(
		8  |     local.tags,
		9  |     {
		10 |       Name = "${var.networking[0].application}-app-connection-string-sandbox"
		11 |     },
		12 |   )
		13 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		5  | resource "aws_secretsmanager_secret" "db_app_connection_string" {
		6  |   #checkov:skip=CKV_AWS_149
		7  |   name                    = "${var.networking[0].application}-app-connection-string"
		8  |   recovery_window_in_days = 0
		9  |   tags = merge(
		10 |     local.tags,
		11 |     {
		12 |       Name = "${var.networking[0].application}-app-connection-string"
		13 |     },
		14 |   )
		15 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit
	File: /ecs.tf:53-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		53 | resource "aws_security_group" "jitbit" {
		54 |   vpc_id      = data.aws_vpc.shared.id
		55 |   name        = format("hmpps-%s-%s-service", local.environment, local.application_name)
		56 |   description = "Security group for the ${local.application_name} service"
		57 |   tags        = local.tags
		58 | 
		59 |   lifecycle {
		60 |     create_before_destroy = true
		61 |   }
		62 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit_sandbox
	File: /sandbox_ecs.tf:55-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		55 | resource "aws_security_group" "jitbit_sandbox" {
		56 |   count = local.is-development ? 1 : 0
		57 | 
		58 |   vpc_id      = data.aws_vpc.shared.id
		59 |   name        = format("hmpps-%s-%s-service", "sandbox", local.application_name)
		60 |   description = "Security group for the ${local.application_name} sandbox service"
		61 |   tags        = local.tags
		62 | 
		63 |   lifecycle {
		64 |     create_before_destroy = true
		65 |   }
		66 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running tflint in terraform/environments/delius-jitbit
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-jitbit/ses_logging.tf line 30:
  30: data "archive_file" "lambda_function_payload" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running Trivy in terraform/environments/delius-jitbit
2024-06-03T14:13:31Z	INFO	Need to update DB
2024-06-03T14:13:31Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-03T14:13:33Z	INFO	Vulnerability scanning is enabled
2024-06-03T14:13:33Z	INFO	Misconfiguration scanning is enabled
2024-06-03T14:13:33Z	INFO	Need to update the built-in policies
2024-06-03T14:13:33Z	INFO	Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-03T14:13:33Z	INFO	Secret scanning is enabled
2024-06-03T14:13:33Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-03T14:13:33Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-03T14:13:37Z	INFO	Number of language-specific files	num=0
2024-06-03T14:13:37Z	INFO	Detected config files	num=15

ecs.tf (terraform)
==================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:70
   via ecs.tf:64-72 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  64   resource "aws_security_group_rule" "allow_all_egress" {
  65     description       = "Allow all outbound traffic to any IPv4 address"
  66     type              = "egress"
  67     from_port         = 0
  68     to_port           = 0
  69     protocol          = "-1"
  70 [   cidr_blocks       = ["0.0.0.0/0"]
  71     security_group_id = aws_security_group.jitbit.id
  72   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf (terraform)
======================================================================================================
Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
   via s3.tf:1-84 (module.jitbit_bucket)
────────────────────────────────────────
 157resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 158 │   bucket = aws_s3_bucket.default.id
 159 │   rule {
 160 │     apply_server_side_encryption_by_default {
 161 │       sse_algorithm     = var.sse_algorithm
 162 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 163 │     }
 164 │   }
 165 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
   via ecs.tf:11-51 (module.s3_bucket_app_deployment)
────────────────────────────────────────
 157resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 158 │   bucket = aws_s3_bucket.default.id
 159 │   rule {
 160 │     apply_server_side_encryption_by_default {
 161 │       sse_algorithm     = var.sse_algorithm
 162 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 163 │     }
 164 │   }
 165 └ }
────────────────────────────────────────



iam.tf (terraform)
==================
Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lb.tf (terraform)
=================
Tests: 10 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 1)
Failures: 6 (HIGH: 0, CRITICAL: 6)

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:7ff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:3fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:7fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:7ff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:6-8
────────────────────────────────────────
   6resource "aws_sns_topic" "jitbit_alerting" {
   7 │   name = "jitbit_alerting"
   8 └ }
────────────────────────────────────────



ses.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ses_bounce.tf (terraform)
=========================
Tests: 6 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ses_bounce.tf:1-5
────────────────────────────────────────
   1resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
   2 │   name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
   34 │   tags = local.tags
   5 └ }
────────────────────────────────────────



ses_logging.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ses_logging.tf:4-8
────────────────────────────────────────
   4resource "aws_sns_topic" "jitbit_ses_destination_topic" {
   5 │   name = format("%s-ses-destination-topic", local.application_name)
   67 │   tags = local.tags
   8 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 3, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-jitbit

Running Trivy in terraform/environments/delius-jitbit
2024-06-03T14:14:40Z INFO Need to update DB
2024-06-03T14:14:40Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-03T14:14:42Z INFO Vulnerability scanning is enabled
2024-06-03T14:14:42Z INFO Misconfiguration scanning is enabled
2024-06-03T14:14:42Z INFO Need to update the built-in policies
2024-06-03T14:14:42Z INFO Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-03T14:14:43Z INFO Secret scanning is enabled
2024-06-03T14:14:43Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-03T14:14:43Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-03T14:14:46Z INFO Number of language-specific files num=0
2024-06-03T14:14:46Z INFO Detected config files num=15

ecs.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:70
via ecs.tf:64-72 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
64 resource "aws_security_group_rule" "allow_all_egress" {
65 description = "Allow all outbound traffic to any IPv4 address"
66 type = "egress"
67 from_port = 0
68 to_port = 0
69 protocol = "-1"
70 [ cidr_blocks = ["0.0.0.0/0"]
71 security_group_id = aws_security_group.jitbit.id
72 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
via s3.tf:1-84 (module.jitbit_bucket)
────────────────────────────────────────
157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
158 │ bucket = aws_s3_bucket.default.id
159 │ rule {
160 │ apply_server_side_encryption_by_default {
161 │ sse_algorithm = var.sse_algorithm
162 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
163 │ }
164 │ }
165 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
via ecs.tf:11-51 (module.s3_bucket_app_deployment)
────────────────────────────────────────
157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
158 │ bucket = aws_s3_bucket.default.id
159 │ rule {
160 │ apply_server_side_encryption_by_default {
161 │ sse_algorithm = var.sse_algorithm
162 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
163 │ }
164 │ }
165 └ }
────────────────────────────────────────

iam.tf (terraform)

Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lb.tf (terraform)

Tests: 10 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 1)
Failures: 6 (HIGH: 0, CRITICAL: 6)

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:7ff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:3fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:7fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:7ff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
lb.tf:60
via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:fff:f800::/53"])
────────────────────────────────────────
53 resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
54 for_each = toset(local.ipv6_cidr_blocks)
55 description = "Allow ingress from allow listed CIDRs"
56 security_group_id = aws_security_group.load_balancer_security_group.id
57 from_port = 443
58 to_port = 443
59 ip_protocol = "tcp"
60 [ cidr_ipv6 = each.value
61 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:6-8
────────────────────────────────────────
6 ┌ resource "aws_sns_topic" "jitbit_alerting" {
7 │ name = "jitbit_alerting"
8 └ }
────────────────────────────────────────

ses.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ses_bounce.tf (terraform)

Tests: 6 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ses_bounce.tf:1-5
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
2 │ name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
3 │
4 │ tags = local.tags
5 └ }
────────────────────────────────────────

ses_logging.tf (terraform)

Tests: 5 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ses_logging.tf:4-8
────────────────────────────────────────
4 ┌ resource "aws_sns_topic" "jitbit_ses_destination_topic" {
5 │ name = format("%s-ses-destination-topic", local.application_name)
6 │
7 │ tags = local.tags
8 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running Checkov in terraform/environments/delius-jitbit
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-03 14:14:49,154 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:14:49,154 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:14:49,155 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:14:49,155 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-06-03 14:14:49,155 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 316, Failed checks: 69, Skipped checks: 18

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:6-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "bastion_linux" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "bastion"
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   # custom scaling schedule
		33 |   autoscaling_cron = {
		34 |     "down" : "0 21 * * *",
		35 |     "up" : "0 05 * * *"
		36 |   }
		37 | 
		38 |   # Tags
		39 |   tags_common = local.tags
		40 |   tags_prefix = terraform.workspace
		41 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		3 | 
		4 |   environment = local.environment
		5 |   name        = local.application_name
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ecs.tf:11-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		11 | module "s3_bucket_app_deployment" {
		12 | 
		13 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		14 | 
		15 |   providers = {
		16 |     aws.bucket-replication = aws
		17 |   }
		18 |   bucket_name        = "${local.application_name}-${local.environment}-deployment"
		19 |   versioning_enabled = true
		20 | 
		21 |   ownership_controls = "BucketOwnerEnforced"
		22 | 
		23 |   lifecycle_rule = [
		24 |     {
		25 |       id      = "main"
		26 |       enabled = "Enabled"
		27 |       prefix  = ""
		28 | 
		29 |       tags = {
		30 |         rule      = "log"
		31 |         autoclean = "true"
		32 |       }
		33 | 
		34 |       noncurrent_version_transition = [
		35 |         {
		36 |           days          = 90
		37 |           storage_class = "STANDARD_IA"
		38 |           }, {
		39 |           days          = 365
		40 |           storage_class = "GLACIER"
		41 |         }
		42 |       ]
		43 | 
		44 |       noncurrent_version_expiration = {
		45 |         days = 730
		46 |       }
		47 |     }
		48 |   ]
		49 | 
		50 |   tags = local.tags
		51 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_alerting
	File: /monitoring.tf:6-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6 | resource "aws_sns_topic" "jitbit_alerting" {
		7 |   name = "jitbit_alerting"
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:37-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "pagerduty_core_alerts" {
		38 |   depends_on = [
		39 |     aws_sns_topic.jitbit_alerting
		40 |   ]
		41 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		42 |   sns_topics                = [aws_sns_topic.jitbit_alerting.name]
		43 |   pagerduty_integration_key = local.pagerduty_integration_key
		44 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket
	File: /s3.tf:1-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_sandbox
	File: /sandbox_ecs.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "ecs_sandbox" {
		2  |   count = local.is-development ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		5  | 
		6  |   environment = local.environment
		7  |   name        = "${local.application_name}-sandbox"
		8  | 
		9  |   tags = local.tags
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment_sandbox
	File: /sandbox_ecs.tf:12-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "s3_bucket_app_deployment_sandbox" {
		13 |   count = local.is-development ? 1 : 0
		14 | 
		15 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		16 | 
		17 |   providers = {
		18 |     aws.bucket-replication = aws
		19 |   }
		20 |   bucket_name        = "${local.application_name}-sandbox-deployment"
		21 |   versioning_enabled = true
		22 | 
		23 |   ownership_controls = "BucketOwnerEnforced"
		24 | 
		25 |   lifecycle_rule = [
		26 |     {
		27 |       id      = "main"
		28 |       enabled = "Enabled"
		29 |       prefix  = ""
		30 | 
		31 |       tags = {
		32 |         rule      = "log"
		33 |         autoclean = "true"
		34 |       }
		35 | 
		36 |       noncurrent_version_transition = [
		37 |         {
		38 |           days          = 90
		39 |           storage_class = "STANDARD_IA"
		40 |           }, {
		41 |           days          = 365
		42 |           storage_class = "GLACIER"
		43 |         }
		44 |       ]
		45 | 
		46 |       noncurrent_version_expiration = {
		47 |         days = 730
		48 |       }
		49 |     }
		50 |   ]
		51 | 
		52 |   tags = local.tags
		53 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket_sandbox
	File: /sandbox_s3.tf:1-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.jitbit_ses_smtp_user
	File: /ses.tf:101-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		101 | resource "aws_iam_user" "jitbit_ses_smtp_user" {
		102 |   name = "${local.environment}-jitbit-smtp-user"
		103 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jitbit_ses_smtp_user
	File: /ses.tf:128-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		128 | resource "aws_ssm_parameter" "jitbit_ses_smtp_user" {
		129 |   name = "/${local.environment}/jitbit/ses_smtp"
		130 |   type = "SecureString"
		131 |   value = jsonencode({
		132 |     user              = aws_iam_user.jitbit_ses_smtp_user.name,
		133 |     key               = aws_iam_access_key.jitbit_ses_smtp_user.id,
		134 |     secret            = aws_iam_access_key.jitbit_ses_smtp_user.secret
		135 |     ses_smtp_user     = aws_iam_access_key.jitbit_ses_smtp_user.id
		136 |     ses_smtp_password = aws_iam_access_key.jitbit_ses_smtp_user.ses_smtp_password_v4
		137 |   })
		138 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  |   
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  |   
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic_bounce_email_notification
	File: /ses_bounce.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
		2 |   name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
		3 | 
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS = "bounce-notification@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_28: "Ensure DynamoDB point in time recovery (backup) is enabled"
	FAILED for resource: aws_dynamodb_table.bounce_email_notification
	File: /ses_bounce.tf:126-147
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-6

		126 | resource "aws_dynamodb_table" "bounce_email_notification" {
		127 |   name           = "bounce_email_notification"
		128 |   billing_mode   = "PAY_PER_REQUEST"
		129 |   hash_key       = "email_ticket_id"
		130 | 
		131 |   server_side_encryption {
		132 |     enabled = true
		133 |     kms_key_arn = data.aws_kms_key.general_shared.arn
		134 |   }
		135 | 
		136 |   ttl {
		137 |     attribute_name = "expireAt"
		138 |     enabled = true
		139 |   }
		140 | 
		141 |   attribute {
		142 |     name = "email_ticket_id"
		143 |     type = "S"
		144 |   }
		145 | 
		146 |   tags = local.tags
		147 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic
	File: /ses_logging.tf:4-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		4 | resource "aws_sns_topic" "jitbit_ses_destination_topic" {
		5 |   name = format("%s-ses-destination-topic", local.application_name)
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.sns_logs
	File: /ses_logging.tf:59-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		59 | resource "aws_cloudwatch_log_group" "sns_logs" {
		60 |   name              = format("%s-ses-logs", local.application_name)
		61 |   retention_in_days = local.application_data.accounts[local.environment].lambda_log_retention_days
		62 | 
		63 |   tags = local.tags
		64 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.this
	File: /waf.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.waf
	File: /waf.tf:59-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		59 | resource "aws_cloudwatch_log_group" "waf" {
		60 |   name              = "aws-waf-logs-${local.application_name}"
		61 |   retention_in_days = 60
		62 |   tags              = local.tags
		63 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.waf
	File: /waf.tf:59-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		59 | resource "aws_cloudwatch_log_group" "waf" {
		60 |   name              = "aws-waf-logs-${local.application_name}"
		61 |   retention_in_days = 60
		62 |   tags              = local.tags
		63 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:40-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		40 | resource "aws_db_instance" "jitbit" {
		41 |   engine         = "sqlserver-se"
		42 |   license_model  = "license-included"
		43 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		44 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		45 |   identifier     = "${local.application_name}-${local.environment}-database"
		46 |   username       = local.application_data.accounts[local.environment].db_user
		47 | 
		48 |   manage_master_user_password = true
		49 | 
		50 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		51 | 
		52 |   # tflint-ignore: aws_db_instance_default_parameter_group
		53 |   parameter_group_name        = "default.sqlserver-se-15.0"
		54 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		55 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		56 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		57 |   skip_final_snapshot         = local.skip_final_snapshot
		58 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		59 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		60 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		61 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		62 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		63 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		64 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		65 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		66 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		67 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		68 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		69 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		70 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		71 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		72 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		73 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		74 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		75 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		76 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		77 |   storage_encrypted               = true
		78 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		79 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		80 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		81 |   tags = merge(local.tags,
		82 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		83 |   )
		84 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string_sandbox
	File: /sandbox_secrets.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2  | resource "aws_secretsmanager_secret" "db_app_connection_string_sandbox" {
		3  |   count = local.is-development ? 1 : 0
		4  |   #checkov:skip=CKV_AWS_149
		5  |   name                    = "${var.networking[0].application}-app-connection-string-sandbox"
		6  |   recovery_window_in_days = 0
		7  |   tags = merge(
		8  |     local.tags,
		9  |     {
		10 |       Name = "${var.networking[0].application}-app-connection-string-sandbox"
		11 |     },
		12 |   )
		13 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		5  | resource "aws_secretsmanager_secret" "db_app_connection_string" {
		6  |   #checkov:skip=CKV_AWS_149
		7  |   name                    = "${var.networking[0].application}-app-connection-string"
		8  |   recovery_window_in_days = 0
		9  |   tags = merge(
		10 |     local.tags,
		11 |     {
		12 |       Name = "${var.networking[0].application}-app-connection-string"
		13 |     },
		14 |   )
		15 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit
	File: /ecs.tf:53-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		53 | resource "aws_security_group" "jitbit" {
		54 |   vpc_id      = data.aws_vpc.shared.id
		55 |   name        = format("hmpps-%s-%s-service", local.environment, local.application_name)
		56 |   description = "Security group for the ${local.application_name} service"
		57 |   tags        = local.tags
		58 | 
		59 |   lifecycle {
		60 |     create_before_destroy = true
		61 |   }
		62 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit_sandbox
	File: /sandbox_ecs.tf:55-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		55 | resource "aws_security_group" "jitbit_sandbox" {
		56 |   count = local.is-development ? 1 : 0
		57 | 
		58 |   vpc_id      = data.aws_vpc.shared.id
		59 |   name        = format("hmpps-%s-%s-service", "sandbox", local.application_name)
		60 |   description = "Security group for the ${local.application_name} service"
		61 |   tags        = local.tags
		62 | 
		63 |   lifecycle {
		64 |     create_before_destroy = true
		65 |   }
		66 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running tflint in terraform/environments/delius-jitbit
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-jitbit/ses_bounce.tf line 23:
  23: data "archive_file" "lambda_function_payload_bounce_email_notification" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running Trivy in terraform/environments/delius-jitbit
2024-06-03T14:14:40Z	INFO	Need to update DB
2024-06-03T14:14:40Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-03T14:14:42Z	INFO	Vulnerability scanning is enabled
2024-06-03T14:14:42Z	INFO	Misconfiguration scanning is enabled
2024-06-03T14:14:42Z	INFO	Need to update the built-in policies
2024-06-03T14:14:42Z	INFO	Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-03T14:14:43Z	INFO	Secret scanning is enabled
2024-06-03T14:14:43Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-03T14:14:43Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-03T14:14:46Z	INFO	Number of language-specific files	num=0
2024-06-03T14:14:46Z	INFO	Detected config files	num=15

ecs.tf (terraform)
==================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:70
   via ecs.tf:64-72 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  64   resource "aws_security_group_rule" "allow_all_egress" {
  65     description       = "Allow all outbound traffic to any IPv4 address"
  66     type              = "egress"
  67     from_port         = 0
  68     to_port           = 0
  69     protocol          = "-1"
  70 [   cidr_blocks       = ["0.0.0.0/0"]
  71     security_group_id = aws_security_group.jitbit.id
  72   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf (terraform)
======================================================================================================
Tests: 14 (SUCCESSES: 12, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
   via s3.tf:1-84 (module.jitbit_bucket)
────────────────────────────────────────
 157resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 158 │   bucket = aws_s3_bucket.default.id
 159 │   rule {
 160 │     apply_server_side_encryption_by_default {
 161 │       sse_algorithm     = var.sse_algorithm
 162 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 163 │     }
 164 │   }
 165 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
   via ecs.tf:11-51 (module.s3_bucket_app_deployment)
────────────────────────────────────────
 157resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 158 │   bucket = aws_s3_bucket.default.id
 159 │   rule {
 160 │     apply_server_side_encryption_by_default {
 161 │       sse_algorithm     = var.sse_algorithm
 162 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 163 │     }
 164 │   }
 165 └ }
────────────────────────────────────────



iam.tf (terraform)
==================
Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lb.tf (terraform)
=================
Tests: 10 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 1)
Failures: 6 (HIGH: 0, CRITICAL: 6)

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:7ff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2406:da18:fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:3fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2600:1f18:7fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:7ff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 lb.tf:60
   via lb.tf:53-61 (aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule_ipv6["2a05:d018:fff:f800::/53"])
────────────────────────────────────────
  53   resource "aws_vpc_security_group_ingress_rule" "load_balancer_ingress_rule_ipv6" {
  54     for_each          = toset(local.ipv6_cidr_blocks)
  55     description = "Allow ingress from allow listed CIDRs"
  56     security_group_id = aws_security_group.load_balancer_security_group.id
  57     from_port         = 443
  58     to_port           = 443
  59     ip_protocol       = "tcp"
  60 [   cidr_ipv6         = each.value
  61   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:6-8
────────────────────────────────────────
   6resource "aws_sns_topic" "jitbit_alerting" {
   7 │   name = "jitbit_alerting"
   8 └ }
────────────────────────────────────────



ses.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ses_bounce.tf (terraform)
=========================
Tests: 6 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ses_bounce.tf:1-5
────────────────────────────────────────
   1resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
   2 │   name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
   34 │   tags = local.tags
   5 └ }
────────────────────────────────────────



ses_logging.tf (terraform)
==========================
Tests: 5 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ses_logging.tf:4-8
────────────────────────────────────────
   4resource "aws_sns_topic" "jitbit_ses_destination_topic" {
   5 │   name = format("%s-ses-destination-topic", local.application_name)
   67 │   tags = local.tags
   8 └ }
────────────────────────────────────────


trivy_exitcode=1

@georgepstaylor georgepstaylor temporarily deployed to delius-jitbit-development June 3, 2024 14:21 — with GitHub Actions Inactive
@georgepstaylor georgepstaylor merged commit 45eb9d5 into main Jun 3, 2024
14 of 16 checks passed
@georgepstaylor georgepstaylor deleted the jitbit-consolidate-lb branch June 3, 2024 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewmooreio andrewmooreio andrewmooreio approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@georgepstaylor @andrewmooreio