Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EM: Edit step function to include athena log validation #6604

Merged
merged 49 commits into from
Jun 19, 2024

Conversation

matt-heery
Copy link
Contributor

Currently the step function writes ALL tables to the AP by default.

We want to only write validated tables to the AP. The first step of this step function is to run a query the log tables against all tables in that database bringing back the tables with Validated in their validation message, and trigger all of those.

@matt-heery matt-heery requested review from a team as code owners June 14, 2024 13:33
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jun 14, 2024
@matt-heery matt-heery had a problem deploying to electronic-monitoring-data-development June 14, 2024 13:34 — with GitHub Actions Failure
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-14T13:35:37Z INFO Need to update DB
2024-06-14T13:35:37Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-14T13:35:39Z INFO Vulnerability scanning is enabled
2024-06-14T13:35:39Z INFO Misconfiguration scanning is enabled
2024-06-14T13:35:39Z INFO Need to update the built-in policies
2024-06-14T13:35:39Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-14T13:35:39Z INFO Secret scanning is enabled
2024-06-14T13:35:39Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-14T13:35:39Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-14T13:35:42Z INFO Number of language-specific files num=0
2024-06-14T13:35:42Z INFO Detected config files num=27

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:52
via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
49 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
50 security_group_id = aws_security_group.glue_rds_conn_security_group.id
51
52 [ cidr_ipv4 = "0.0.0.0/0"
53 ip_protocol = "tcp"
54 from_port = 0
55 to_port = 65535
56 description = "Required ports open for Glue-RDS-Connection"
57 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_iam.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_iam.tf (terraform)

Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 30 (SUCCESSES: 12, FAILURES: 0, EXCEPTIONS: 18)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/landing_zone/main.tf:40-48
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
41 │ bucket = aws_s3_bucket.landing_bucket.id
42 │
43 │ rule {
44 │ apply_server_side_encryption_by_default {
45 │ sse_algorithm = "AES256"
46 │ }
47 │ }
48 └ }
────────────────────────────────────────

modules/s3_log_bucket/main.tf (terraform)

Tests: 28 (SUCCESSES: 24, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via register-my-data.tf:47-54 (module.ap_export_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via modules/landing_zone/main.tf:108-118 (module.log_bucket)
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via unzipped-s3-store.tf:1-7 (module.unzipped_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

parquet-to-csv.tf (terraform)

Tests: 15 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 2)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
parquet-to-csv.tf:25-33
────────────────────────────────────────
25 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
26 │ bucket = aws_s3_bucket.csv-output-bucket.id
27 │
28 │ rule {
29 │ apply_server_side_encryption_by_default {
30 │ sse_algorithm = "AES256"
31 │ }
32 │ }
33 └ }
────────────────────────────────────────

register-my-data.tf (terraform)

Tests: 9 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
register-my-data.tf:92-100
────────────────────────────────────────
92 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
93 │ bucket = aws_s3_bucket.ap_export_bucket.id
94 │
95 │ rule {
96 │ apply_server_side_encryption_by_default {
97 │ sse_algorithm = "AES256"
98 │ }
99 │ }
100 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 10 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 10)
Failures: 0 (HIGH: 0, CRITICAL: 0)

unzipped-s3-store.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
unzipped-s3-store.tf:15-23
────────────────────────────────────────
15 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
16 │ bucket = aws_s3_bucket.unzipped_store.id
17 │
18 │ rule {
19 │ apply_server_side_encryption_by_default {
20 │ sse_algorithm = "AES256"
21 │ }
22 │ }
23 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-14 13:35:45,008 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88:None (for external modules, the --download-external-modules flag is required)
2024-06-14 13:35:45,009 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1334, Failed checks: 137, Skipped checks: 6

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job
	File: /dms_data_validation_glue_job.tf:91-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		91  | resource "aws_glue_job" "dms_dv_glue_job" {
		92  |   name         = "dms-dv-glue-job"
		93  |   description  = "DMS Data Validation Glue-Job (PySpark)."
		94  |   role_arn     = aws_iam_role.dms_dv_glue_job_iam_role.arn
		95  |   glue_version = "4.0"
		96  |   default_arguments = {
		97  |     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"
		98  |     "--rds_db_host_ep"                   = split(":", aws_db_instance.database_2022.endpoint)[0]
		99  |     "--rds_db_pwd"                       = aws_db_instance.database_2022.password
		100 |     "--rds_sqlserver_db"                 = ""
		101 |     "--rds_sqlserver_db_schema"          = ""
		102 |     "--rds_sqlserver_tbls"               = ""
		103 |     "--trim_rds_df_str_columns"          = "false"
		104 |     "--repartition_factor"               = 8
		105 |     "--max_table_size_mb"                = 2000
		106 |     "--parquet_src_bucket_name"          = aws_s3_bucket.dms_target_ep_s3_bucket.id
		107 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		108 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		109 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		110 |     "--continuous-log-logGroup"          = "/aws-glue/jobs/${aws_cloudwatch_log_group.dms_dv_cw_log_group.name}"
		111 |     "--enable-continuous-cloudwatch-log" = "true"
		112 |     "--enable-continuous-log-filter"     = "true"
		113 |     "--enable-spark-ui"                  = "true"
		114 |     "--spark-event-logs-path"            = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/spark_logs/"
		115 |     "--enable-metrics"                   = "true"
		116 |     "--enable-auto-scaling"              = "true"
		117 |     "--conf"                             = "spark.memory.offHeap.enabled=true --conf spark.memory.offHeap.size=1g --conf spark.sql.adaptive.enabled=true --conf spark.sql.adaptive.coalescePartitions.enabled=true --conf spark.sql.adaptive.skewJoin.enabled=true --conf spark.sql.legacy.parquet.datetimeRebaseModeInRead=CORRECTED"
		118 |   }
		119 | 
		120 |   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]
		121 |   command {
		122 |     python_version  = "3"
		123 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/dms_dv_rds_and_s3_parquet_write.py"
		124 |   }
		125 | 
		126 |   tags = merge(
		127 |     local.tags,
		128 |     {
		129 |       Resource_Type = "Glue-Job that processes data sourced from both RDS and S3",
		130 |     }
		131 |   )
		132 | 
		133 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:136-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		136 | resource "aws_glue_job" "dms_dv_glue_job_v2" {
		137 |   name              = "dms-dv-glue-job-v2"
		138 |   description       = "DMS Data Validation Glue-Job (PySpark)."
		139 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		140 |   glue_version      = "4.0"
		141 |   worker_type       = "G.1X"
		142 |   number_of_workers = 5
		143 |   default_arguments = {
		144 |     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"
		145 |     "--rds_db_host_ep"                   = split(":", aws_db_instance.database_2022.endpoint)[0]
		146 |     "--rds_db_pwd"                       = aws_db_instance.database_2022.password
		147 |     "--rds_sqlserver_db"                 = ""
		148 |     "--rds_sqlserver_db_schema"          = ""
		149 |     "--exclude_rds_db_tbls"              = ""
		150 |     "--select_rds_db_tbls"               = ""
		151 |     "--trim_rds_df_str_columns"          = "false"
		152 |     "--repartition_factor"               = 8
		153 |     "--max_table_size_mb"                = 2000
		154 |     "--transformed_column_list_1"        = ""
		155 |     "--rds_tbl_col_replace_char_1"       = ""
		156 |     "--parquet_src_bucket_name"          = aws_s3_bucket.dms_target_ep_s3_bucket.id
		157 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		158 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		159 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		160 |     "--continuous-log-logGroup"          = "/aws-glue/jobs/${aws_cloudwatch_log_group.dms_dv_cw_log_group.name}"
		161 |     "--enable-continuous-cloudwatch-log" = "true"
		162 |     "--enable-continuous-log-filter"     = "true"
		163 |     "--enable-spark-ui"                  = "true"
		164 |     "--spark-event-logs-path"            = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/spark_logs/"
		165 |     "--enable-metrics"                   = "true"
		166 |     "--enable-auto-scaling"              = "true"
		167 |     "--conf"                             = "spark.memory.offHeap.enabled=true --conf spark.memory.offHeap.size=1g --conf spark.sql.adaptive.enabled=true --conf spark.sql.adaptive.coalescePartitions.enabled=true --conf spark.sql.adaptive.skewJoin.enabled=true --conf spark.sql.legacy.parquet.datetimeRebaseModeInRead=CORRECTED"
		168 |   }
		169 | 
		170 |   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]
		171 |   command {
		172 |     python_version  = "3"
		173 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/dms_dv_rds_and_s3_parquet_write_v2.py"
		174 |   }
		175 | 
		176 |   tags = merge(
		177 |     local.tags,
		178 |     {
		179 |       Resource_Type = "Glue-Job that processes data sourced from both RDS and S3",
		180 |     }
		181 |   )
		182 | 
		183 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:186-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		186 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		187 |   name              = "catalog-dv-table-glue-job"
		188 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		189 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		190 |   glue_version      = "4.0"
		191 |   worker_type       = "G.1X"
		192 |   number_of_workers = 2
		193 |   default_arguments = {
		194 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		195 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		196 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		197 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		198 |     "--enable-continuous-cloudwatch-log" = "true"
		199 |     "--enable-continuous-log-filter"     = "true"
		200 |     "--enable-metrics"                   = ""
		201 |   }
		202 |   command {
		203 |     python_version  = "3"
		204 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     local.tags,
		209 |     {
		210 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		211 |     }
		212 |   )
		213 | 
		214 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.get_glue_tables
	File: /lambdas_iam.tf:344-354
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		344 | data "aws_iam_policy_document" "get_glue_tables" {
		345 |     statement {
		346 |         effect = "Allow"
		347 |         actions = [
		348 |             "glue:GetTable",
		349 |             "glue:GetTables",
		350 |             "glue:GetDatabase"
		351 |         ]
		352 |         resources = ["*"]
		353 |     }
		354 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_cap_dw"].aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_cap_dw"].aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.parquet-to-csv
	File: /parquet-to-csv.tf:101-136
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		101 | data "aws_iam_policy_document" "parquet-to-csv" {
		102 |   statement {
		103 |     effect = "Allow"
		104 |     actions = [
		105 |       "s3:GetObject",
		106 |       "s3:ListBucket"
		107 |     ]
		108 |     resources = ["${aws_s3_bucket.glue-jobs.arn}/*", aws_s3_bucket.glue-jobs.arn, "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}/*", aws_s3_bucket.dms_target_ep_s3_bucket.arn]
		109 |   }
		110 |   statement {
		111 |     effect = "Allow"
		112 |     actions = [
		113 |       "s3:PutObject",
		114 |       "s3:DeleteObject",
		115 |       "s3:ListBucket"
		116 |     ]
		117 |     resources = [aws_s3_bucket.csv-output-bucket.arn, "${aws_s3_bucket.csv-output-bucket.arn}/*"]
		118 |   }
		119 |   statement {
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "glue:GetConnection",
		123 |       "glue:GetConnections",
		124 |       "glue:GetDatabase",
		125 |       "glue:GetDatabases",
		126 |       "glue:GetJob",
		127 |       "glue:GetJobs",
		128 |       "glue:GetPartition",
		129 |       "glue:GetPartitions",
		130 |       "glue:GetTable",
		131 |       "glue:GetTables",
		132 | 
		133 |     ]
		134 |     resources = ["*"]
		135 |   }
		136 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet-to-csv
	File: /parquet-to-csv.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		61 | resource "aws_cloudwatch_log_group" "parquet-to-csv" {
		62 |   name              = "parquet-to-csv"
		63 |   retention_in_days = 14
		64 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet-to-csv
	File: /parquet-to-csv.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "parquet-to-csv" {
		62 |   name              = "parquet-to-csv"
		63 |   retention_in_days = 14
		64 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet-to-csv
	File: /parquet-to-csv.tf:66-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		66 | resource "aws_glue_job" "parquet-to-csv" {
		67 |   name         = "parquet-to-csv"
		68 |   role_arn     = aws_iam_role.parquet-to-csv.arn
		69 |   glue_version = "4.0"
		70 |   default_arguments = {
		71 |     "--destination_bucket"               = aws_s3_bucket.csv-output-bucket.id
		72 |     "--source_bucket"                    = aws_s3_bucket.dms_target_ep_s3_bucket.id
		73 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.parquet-to-csv.name
		74 |     "--enable-continuous-cloudwatch-log" = "true"
		75 |     "--enable-continuous-log-filter"     = "true"
		76 |     "--enable-metrics"                   = ""
		77 |   }
		78 | 
		79 |   command {
		80 |     python_version  = "3"
		81 |     script_location = "s3://${aws_s3_bucket.glue-jobs.id}/parquet_to_csv.py"
		82 |   }
		83 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = <<EOF
		6  | {
		7  |   "StartAt": "GetMetadataList",
		8  |   "States": {
		9  |     "GetMetadataList": {
		10 |       "Type": "Task",
		11 |       "Resource": "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |       "ResultPath": "$.metadata_list",
		13 |       "Next": "LoopThroughMetadataList"
		14 |     },
		15 |     "LoopThroughMetadataList": {
		16 |       "Type": "Map",
		17 |       "ItemsPath": "$.metadata_list.metadata_list",
		18 |       "MaxConcurrency": 4,
		19 |       "Iterator": {
		20 |         "StartAt": "CreateAthenaTable",
		21 |         "States": {
		22 |           "CreateAthenaTable": {
		23 |             "Type": "Task",
		24 |             "Resource": "${module.create_athena_table.lambda_function_arn}",
		25 |             "ResultPath": "$.result",
		26 |             "End": true
		27 |           }
		28 |         }
		29 |       },
		30 |       "End": true
		31 |     }
		32 |   }
		33 | }
		34 | EOF
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = <<EOF
		6  | {
		7  |   "StartAt": "GetMetadataList",
		8  |   "States": {
		9  |     "GetMetadataList": {
		10 |       "Type": "Task",
		11 |       "Resource": "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |       "ResultPath": "$.metadata_list",
		13 |       "Next": "LoopThroughMetadataList"
		14 |     },
		15 |     "LoopThroughMetadataList": {
		16 |       "Type": "Map",
		17 |       "ItemsPath": "$.metadata_list.metadata_list",
		18 |       "MaxConcurrency": 4,
		19 |       "Iterator": {
		20 |         "StartAt": "CreateAthenaTable",
		21 |         "States": {
		22 |           "CreateAthenaTable": {
		23 |             "Type": "Task",
		24 |             "Resource": "${module.create_athena_table.lambda_function_arn}",
		25 |             "ResultPath": "$.result",
		26 |             "End": true
		27 |           }
		28 |         }
		29 |       },
		30 |       "End": true
		31 |     }
		32 |   }
		33 | }
		34 | EOF
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-151
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-151
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_emsys_mvp"].aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_emsys_mvp"].aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.ap_export_bucket
	File: /register-my-data.tf:84-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		84 | resource "aws_s3_bucket_ownership_controls" "ap_export_bucket" {
		85 |   bucket = aws_s3_bucket.ap_export_bucket.id
		86 | 
		87 |   rule {
		88 |     object_ownership = "BucketOwnerPreferred"
		89 |   }
		90 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:36-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		36 | resource "aws_security_group" "glue_rds_conn_security_group" {
		37 |   name        = "glue-rds-sqlserver-connection-tf"
		38 |   description = "Secuity Group for Glue-RDS-Connection"
		39 |   vpc_id      = data.aws_vpc.shared.id
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.data_store
	File: /data_store.tf:23-31

		23 | resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
		24 |   bucket = aws_s3_bucket.data_store.id
		25 | 
		26 |   rule {
		27 |     apply_server_side_encryption_by_default {
		28 |       sse_algorithm = "AES256"
		29 |     }
		30 |   }
		31 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.g4s.aws_s3_bucket_server_side_encryption_configuration.landing_bucket
	File: /modules/landing_zone/main.tf:40-48

		40 | resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
		41 |   bucket = aws_s3_bucket.landing_bucket.id
		42 | 
		43 |   rule {
		44 |     apply_server_side_encryption_by_default {
		45 |       sse_algorithm = "AES256"
		46 |     }
		47 |   }
		48 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.csv-output-bucket
	File: /parquet-to-csv.tf:25-33

		25 | resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
		26 |   bucket = aws_s3_bucket.csv-output-bucket.id
		27 | 
		28 |   rule {
		29 |     apply_server_side_encryption_by_default {
		30 |       sse_algorithm = "AES256"
		31 |     }
		32 |   }
		33 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.ap_export_bucket
	File: /register-my-data.tf:92-100

		92  | resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
		93  |   bucket = aws_s3_bucket.ap_export_bucket.id
		94  | 
		95  |   rule {
		96  |     apply_server_side_encryption_by_default {
		97  |       sse_algorithm = "AES256"
		98  |     }
		99  |   }
		100 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.unzipped_store
	File: /unzipped-s3-store.tf:15-23

		15 | resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
		16 |   bucket = aws_s3_bucket.unzipped_store.id
		17 | 
		18 |   rule {
		19 |     apply_server_side_encryption_by_default {
		20 |       sse_algorithm = "AES256"
		21 |     }
		22 |   }
		23 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
10 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 97:
  97:     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 108:
 108:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 120:
 120:   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 144:
 144:     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 158:
 158:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 170:
 170:   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 195:
 195:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 189:
 189: data "archive_file" "get_tables_from_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-14T13:35:37Z	INFO	Need to update DB
2024-06-14T13:35:37Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-14T13:35:39Z	INFO	Vulnerability scanning is enabled
2024-06-14T13:35:39Z	INFO	Misconfiguration scanning is enabled
2024-06-14T13:35:39Z	INFO	Need to update the built-in policies
2024-06-14T13:35:39Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-14T13:35:39Z	INFO	Secret scanning is enabled
2024-06-14T13:35:39Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-14T13:35:39Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-14T13:35:42Z	INFO	Number of language-specific files	num=0
2024-06-14T13:35:42Z	INFO	Detected config files	num=27

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_iam.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:52
   via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  49   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  50     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  51   
  52 [   cidr_ipv4   = "0.0.0.0/0"
  53     ip_protocol = "tcp"
  54     from_port   = 0
  55     to_port     = 65535
  56     description = "Required ports open for Glue-RDS-Connection"
  57   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88/main.tf (terraform)
=======================================================================================================
Tests: 8 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_iam.tf (terraform)
=======================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_iam.tf (terraform)
==========================
Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 30 (SUCCESSES: 12, FAILURES: 0, EXCEPTIONS: 18)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/landing_zone/main.tf:40-48
   via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  40resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
  41 │   bucket = aws_s3_bucket.landing_bucket.id
  4243 │   rule {
  44 │     apply_server_side_encryption_by_default {
  45 │       sse_algorithm = "AES256"
  46 │     }
  47 │   }
  48 └ }
────────────────────────────────────────



modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 28 (SUCCESSES: 24, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via register-my-data.tf:47-54 (module.ap_export_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via modules/landing_zone/main.tf:108-118 (module.log_bucket)
    via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via unzipped-s3-store.tf:1-7 (module.unzipped_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



parquet-to-csv.tf (terraform)
=============================
Tests: 15 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 2)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 parquet-to-csv.tf:25-33
────────────────────────────────────────
  25resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
  26 │   bucket = aws_s3_bucket.csv-output-bucket.id
  2728 │   rule {
  29 │     apply_server_side_encryption_by_default {
  30 │       sse_algorithm = "AES256"
  31 │     }
  32 │   }
  33 └ }
────────────────────────────────────────



register-my-data.tf (terraform)
===============================
Tests: 9 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 register-my-data.tf:92-100
────────────────────────────────────────
  92resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
  93 │   bucket = aws_s3_bucket.ap_export_bucket.id
  9495 │   rule {
  96 │     apply_server_side_encryption_by_default {
  97 │       sse_algorithm = "AES256"
  98 │     }
  99 │   }
 100 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 10 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 10)
Failures: 0 (HIGH: 0, CRITICAL: 0)


unzipped-s3-store.tf (terraform)
================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 unzipped-s3-store.tf:15-23
────────────────────────────────────────
  15resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
  16 │   bucket = aws_s3_bucket.unzipped_store.id
  1718 │   rule {
  19 │     apply_server_side_encryption_by_default {
  20 │       sse_algorithm = "AES256"
  21 │     }
  22 │   }
  23 └ }
────────────────────────────────────────


trivy_exitcode=1

@matt-heery matt-heery had a problem deploying to electronic-monitoring-data-development June 14, 2024 13:39 — with GitHub Actions Failure
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-14T13:39:53Z INFO Need to update DB
2024-06-14T13:39:53Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-14T13:39:55Z INFO Vulnerability scanning is enabled
2024-06-14T13:39:55Z INFO Misconfiguration scanning is enabled
2024-06-14T13:39:55Z INFO Need to update the built-in policies
2024-06-14T13:39:55Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-14T13:39:55Z INFO Secret scanning is enabled
2024-06-14T13:39:55Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-14T13:39:55Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-14T13:39:57Z INFO Number of language-specific files num=0
2024-06-14T13:39:57Z INFO Detected config files num=27

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:52
via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
49 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
50 security_group_id = aws_security_group.glue_rds_conn_security_group.id
51
52 [ cidr_ipv4 = "0.0.0.0/0"
53 ip_protocol = "tcp"
54 from_port = 0
55 to_port = 65535
56 description = "Required ports open for Glue-RDS-Connection"
57 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_iam.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_iam.tf (terraform)

Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 30 (SUCCESSES: 12, FAILURES: 0, EXCEPTIONS: 18)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/landing_zone/main.tf:40-48
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
41 │ bucket = aws_s3_bucket.landing_bucket.id
42 │
43 │ rule {
44 │ apply_server_side_encryption_by_default {
45 │ sse_algorithm = "AES256"
46 │ }
47 │ }
48 └ }
────────────────────────────────────────

modules/s3_log_bucket/main.tf (terraform)

Tests: 28 (SUCCESSES: 24, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via register-my-data.tf:47-54 (module.ap_export_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via modules/landing_zone/main.tf:108-118 (module.log_bucket)
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via unzipped-s3-store.tf:1-7 (module.unzipped_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

parquet-to-csv.tf (terraform)

Tests: 15 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 2)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
parquet-to-csv.tf:25-33
────────────────────────────────────────
25 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
26 │ bucket = aws_s3_bucket.csv-output-bucket.id
27 │
28 │ rule {
29 │ apply_server_side_encryption_by_default {
30 │ sse_algorithm = "AES256"
31 │ }
32 │ }
33 └ }
────────────────────────────────────────

register-my-data.tf (terraform)

Tests: 9 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
register-my-data.tf:92-100
────────────────────────────────────────
92 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
93 │ bucket = aws_s3_bucket.ap_export_bucket.id
94 │
95 │ rule {
96 │ apply_server_side_encryption_by_default {
97 │ sse_algorithm = "AES256"
98 │ }
99 │ }
100 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 10 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 10)
Failures: 0 (HIGH: 0, CRITICAL: 0)

unzipped-s3-store.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
unzipped-s3-store.tf:15-23
────────────────────────────────────────
15 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
16 │ bucket = aws_s3_bucket.unzipped_store.id
17 │
18 │ rule {
19 │ apply_server_side_encryption_by_default {
20 │ sse_algorithm = "AES256"
21 │ }
22 │ }
23 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-14 13:40:00,083 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88:None (for external modules, the --download-external-modules flag is required)
2024-06-14 13:40:00,083 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1334, Failed checks: 137, Skipped checks: 6

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job
	File: /dms_data_validation_glue_job.tf:91-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		91  | resource "aws_glue_job" "dms_dv_glue_job" {
		92  |   name         = "dms-dv-glue-job"
		93  |   description  = "DMS Data Validation Glue-Job (PySpark)."
		94  |   role_arn     = aws_iam_role.dms_dv_glue_job_iam_role.arn
		95  |   glue_version = "4.0"
		96  |   default_arguments = {
		97  |     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"
		98  |     "--rds_db_host_ep"                   = split(":", aws_db_instance.database_2022.endpoint)[0]
		99  |     "--rds_db_pwd"                       = aws_db_instance.database_2022.password
		100 |     "--rds_sqlserver_db"                 = ""
		101 |     "--rds_sqlserver_db_schema"          = ""
		102 |     "--rds_sqlserver_tbls"               = ""
		103 |     "--trim_rds_df_str_columns"          = "false"
		104 |     "--repartition_factor"               = 8
		105 |     "--max_table_size_mb"                = 2000
		106 |     "--parquet_src_bucket_name"          = aws_s3_bucket.dms_target_ep_s3_bucket.id
		107 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		108 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		109 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		110 |     "--continuous-log-logGroup"          = "/aws-glue/jobs/${aws_cloudwatch_log_group.dms_dv_cw_log_group.name}"
		111 |     "--enable-continuous-cloudwatch-log" = "true"
		112 |     "--enable-continuous-log-filter"     = "true"
		113 |     "--enable-spark-ui"                  = "true"
		114 |     "--spark-event-logs-path"            = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/spark_logs/"
		115 |     "--enable-metrics"                   = "true"
		116 |     "--enable-auto-scaling"              = "true"
		117 |     "--conf"                             = "spark.memory.offHeap.enabled=true --conf spark.memory.offHeap.size=1g --conf spark.sql.adaptive.enabled=true --conf spark.sql.adaptive.coalescePartitions.enabled=true --conf spark.sql.adaptive.skewJoin.enabled=true --conf spark.sql.legacy.parquet.datetimeRebaseModeInRead=CORRECTED"
		118 |   }
		119 | 
		120 |   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]
		121 |   command {
		122 |     python_version  = "3"
		123 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/dms_dv_rds_and_s3_parquet_write.py"
		124 |   }
		125 | 
		126 |   tags = merge(
		127 |     local.tags,
		128 |     {
		129 |       Resource_Type = "Glue-Job that processes data sourced from both RDS and S3",
		130 |     }
		131 |   )
		132 | 
		133 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:136-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		136 | resource "aws_glue_job" "dms_dv_glue_job_v2" {
		137 |   name              = "dms-dv-glue-job-v2"
		138 |   description       = "DMS Data Validation Glue-Job (PySpark)."
		139 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		140 |   glue_version      = "4.0"
		141 |   worker_type       = "G.1X"
		142 |   number_of_workers = 5
		143 |   default_arguments = {
		144 |     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"
		145 |     "--rds_db_host_ep"                   = split(":", aws_db_instance.database_2022.endpoint)[0]
		146 |     "--rds_db_pwd"                       = aws_db_instance.database_2022.password
		147 |     "--rds_sqlserver_db"                 = ""
		148 |     "--rds_sqlserver_db_schema"          = ""
		149 |     "--exclude_rds_db_tbls"              = ""
		150 |     "--select_rds_db_tbls"               = ""
		151 |     "--trim_rds_df_str_columns"          = "false"
		152 |     "--repartition_factor"               = 8
		153 |     "--max_table_size_mb"                = 2000
		154 |     "--transformed_column_list_1"        = ""
		155 |     "--rds_tbl_col_replace_char_1"       = ""
		156 |     "--parquet_src_bucket_name"          = aws_s3_bucket.dms_target_ep_s3_bucket.id
		157 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		158 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		159 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		160 |     "--continuous-log-logGroup"          = "/aws-glue/jobs/${aws_cloudwatch_log_group.dms_dv_cw_log_group.name}"
		161 |     "--enable-continuous-cloudwatch-log" = "true"
		162 |     "--enable-continuous-log-filter"     = "true"
		163 |     "--enable-spark-ui"                  = "true"
		164 |     "--spark-event-logs-path"            = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/spark_logs/"
		165 |     "--enable-metrics"                   = "true"
		166 |     "--enable-auto-scaling"              = "true"
		167 |     "--conf"                             = "spark.memory.offHeap.enabled=true --conf spark.memory.offHeap.size=1g --conf spark.sql.adaptive.enabled=true --conf spark.sql.adaptive.coalescePartitions.enabled=true --conf spark.sql.adaptive.skewJoin.enabled=true --conf spark.sql.legacy.parquet.datetimeRebaseModeInRead=CORRECTED"
		168 |   }
		169 | 
		170 |   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]
		171 |   command {
		172 |     python_version  = "3"
		173 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/dms_dv_rds_and_s3_parquet_write_v2.py"
		174 |   }
		175 | 
		176 |   tags = merge(
		177 |     local.tags,
		178 |     {
		179 |       Resource_Type = "Glue-Job that processes data sourced from both RDS and S3",
		180 |     }
		181 |   )
		182 | 
		183 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:186-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		186 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		187 |   name              = "catalog-dv-table-glue-job"
		188 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		189 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		190 |   glue_version      = "4.0"
		191 |   worker_type       = "G.1X"
		192 |   number_of_workers = 2
		193 |   default_arguments = {
		194 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		195 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		196 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		197 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		198 |     "--enable-continuous-cloudwatch-log" = "true"
		199 |     "--enable-continuous-log-filter"     = "true"
		200 |     "--enable-metrics"                   = ""
		201 |   }
		202 |   command {
		203 |     python_version  = "3"
		204 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     local.tags,
		209 |     {
		210 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		211 |     }
		212 |   )
		213 | 
		214 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.get_glue_tables
	File: /lambdas_iam.tf:344-354
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		344 | data "aws_iam_policy_document" "get_glue_tables" {
		345 |     statement {
		346 |         effect = "Allow"
		347 |         actions = [
		348 |             "glue:GetTable",
		349 |             "glue:GetTables",
		350 |             "glue:GetDatabase"
		351 |         ]
		352 |         resources = ["*"]
		353 |     }
		354 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_cap_dw"].aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_cap_dw"].aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.parquet-to-csv
	File: /parquet-to-csv.tf:101-136
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		101 | data "aws_iam_policy_document" "parquet-to-csv" {
		102 |   statement {
		103 |     effect = "Allow"
		104 |     actions = [
		105 |       "s3:GetObject",
		106 |       "s3:ListBucket"
		107 |     ]
		108 |     resources = ["${aws_s3_bucket.glue-jobs.arn}/*", aws_s3_bucket.glue-jobs.arn, "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}/*", aws_s3_bucket.dms_target_ep_s3_bucket.arn]
		109 |   }
		110 |   statement {
		111 |     effect = "Allow"
		112 |     actions = [
		113 |       "s3:PutObject",
		114 |       "s3:DeleteObject",
		115 |       "s3:ListBucket"
		116 |     ]
		117 |     resources = [aws_s3_bucket.csv-output-bucket.arn, "${aws_s3_bucket.csv-output-bucket.arn}/*"]
		118 |   }
		119 |   statement {
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "glue:GetConnection",
		123 |       "glue:GetConnections",
		124 |       "glue:GetDatabase",
		125 |       "glue:GetDatabases",
		126 |       "glue:GetJob",
		127 |       "glue:GetJobs",
		128 |       "glue:GetPartition",
		129 |       "glue:GetPartitions",
		130 |       "glue:GetTable",
		131 |       "glue:GetTables",
		132 | 
		133 |     ]
		134 |     resources = ["*"]
		135 |   }
		136 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet-to-csv
	File: /parquet-to-csv.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		61 | resource "aws_cloudwatch_log_group" "parquet-to-csv" {
		62 |   name              = "parquet-to-csv"
		63 |   retention_in_days = 14
		64 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet-to-csv
	File: /parquet-to-csv.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "parquet-to-csv" {
		62 |   name              = "parquet-to-csv"
		63 |   retention_in_days = 14
		64 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet-to-csv
	File: /parquet-to-csv.tf:66-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		66 | resource "aws_glue_job" "parquet-to-csv" {
		67 |   name         = "parquet-to-csv"
		68 |   role_arn     = aws_iam_role.parquet-to-csv.arn
		69 |   glue_version = "4.0"
		70 |   default_arguments = {
		71 |     "--destination_bucket"               = aws_s3_bucket.csv-output-bucket.id
		72 |     "--source_bucket"                    = aws_s3_bucket.dms_target_ep_s3_bucket.id
		73 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.parquet-to-csv.name
		74 |     "--enable-continuous-cloudwatch-log" = "true"
		75 |     "--enable-continuous-log-filter"     = "true"
		76 |     "--enable-metrics"                   = ""
		77 |   }
		78 | 
		79 |   command {
		80 |     python_version  = "3"
		81 |     script_location = "s3://${aws_s3_bucket.glue-jobs.id}/parquet_to_csv.py"
		82 |   }
		83 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = <<EOF
		6  | {
		7  |   "StartAt": "GetMetadataList",
		8  |   "States": {
		9  |     "GetMetadataList": {
		10 |       "Type": "Task",
		11 |       "Resource": "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |       "ResultPath": "$.metadata_list",
		13 |       "Next": "LoopThroughMetadataList"
		14 |     },
		15 |     "LoopThroughMetadataList": {
		16 |       "Type": "Map",
		17 |       "ItemsPath": "$.metadata_list.metadata_list",
		18 |       "MaxConcurrency": 4,
		19 |       "Iterator": {
		20 |         "StartAt": "CreateAthenaTable",
		21 |         "States": {
		22 |           "CreateAthenaTable": {
		23 |             "Type": "Task",
		24 |             "Resource": "${module.create_athena_table.lambda_function_arn}",
		25 |             "ResultPath": "$.result",
		26 |             "End": true
		27 |           }
		28 |         }
		29 |       },
		30 |       "End": true
		31 |     }
		32 |   }
		33 | }
		34 | EOF
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = <<EOF
		6  | {
		7  |   "StartAt": "GetMetadataList",
		8  |   "States": {
		9  |     "GetMetadataList": {
		10 |       "Type": "Task",
		11 |       "Resource": "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |       "ResultPath": "$.metadata_list",
		13 |       "Next": "LoopThroughMetadataList"
		14 |     },
		15 |     "LoopThroughMetadataList": {
		16 |       "Type": "Map",
		17 |       "ItemsPath": "$.metadata_list.metadata_list",
		18 |       "MaxConcurrency": 4,
		19 |       "Iterator": {
		20 |         "StartAt": "CreateAthenaTable",
		21 |         "States": {
		22 |           "CreateAthenaTable": {
		23 |             "Type": "Task",
		24 |             "Resource": "${module.create_athena_table.lambda_function_arn}",
		25 |             "ResultPath": "$.result",
		26 |             "End": true
		27 |           }
		28 |         }
		29 |       },
		30 |       "End": true
		31 |     }
		32 |   }
		33 | }
		34 | EOF
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-151
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-151
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_emsys_mvp"].aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_emsys_mvp"].aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.ap_export_bucket
	File: /register-my-data.tf:84-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		84 | resource "aws_s3_bucket_ownership_controls" "ap_export_bucket" {
		85 |   bucket = aws_s3_bucket.ap_export_bucket.id
		86 | 
		87 |   rule {
		88 |     object_ownership = "BucketOwnerPreferred"
		89 |   }
		90 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:36-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		36 | resource "aws_security_group" "glue_rds_conn_security_group" {
		37 |   name        = "glue-rds-sqlserver-connection-tf"
		38 |   description = "Secuity Group for Glue-RDS-Connection"
		39 |   vpc_id      = data.aws_vpc.shared.id
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.data_store
	File: /data_store.tf:23-31

		23 | resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
		24 |   bucket = aws_s3_bucket.data_store.id
		25 | 
		26 |   rule {
		27 |     apply_server_side_encryption_by_default {
		28 |       sse_algorithm = "AES256"
		29 |     }
		30 |   }
		31 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.g4s.aws_s3_bucket_server_side_encryption_configuration.landing_bucket
	File: /modules/landing_zone/main.tf:40-48

		40 | resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
		41 |   bucket = aws_s3_bucket.landing_bucket.id
		42 | 
		43 |   rule {
		44 |     apply_server_side_encryption_by_default {
		45 |       sse_algorithm = "AES256"
		46 |     }
		47 |   }
		48 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.csv-output-bucket
	File: /parquet-to-csv.tf:25-33

		25 | resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
		26 |   bucket = aws_s3_bucket.csv-output-bucket.id
		27 | 
		28 |   rule {
		29 |     apply_server_side_encryption_by_default {
		30 |       sse_algorithm = "AES256"
		31 |     }
		32 |   }
		33 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.ap_export_bucket
	File: /register-my-data.tf:92-100

		92  | resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
		93  |   bucket = aws_s3_bucket.ap_export_bucket.id
		94  | 
		95  |   rule {
		96  |     apply_server_side_encryption_by_default {
		97  |       sse_algorithm = "AES256"
		98  |     }
		99  |   }
		100 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.unzipped_store
	File: /unzipped-s3-store.tf:15-23

		15 | resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
		16 |   bucket = aws_s3_bucket.unzipped_store.id
		17 | 
		18 |   rule {
		19 |     apply_server_side_encryption_by_default {
		20 |       sse_algorithm = "AES256"
		21 |     }
		22 |   }
		23 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
10 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 97:
  97:     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 108:
 108:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 120:
 120:   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 144:
 144:     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 158:
 158:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 170:
 170:   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 195:
 195:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/register-my-data.tf line 148:
 148: data "archive_file" "em_ap_transfer_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-14T13:39:53Z	INFO	Need to update DB
2024-06-14T13:39:53Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-14T13:39:55Z	INFO	Vulnerability scanning is enabled
2024-06-14T13:39:55Z	INFO	Misconfiguration scanning is enabled
2024-06-14T13:39:55Z	INFO	Need to update the built-in policies
2024-06-14T13:39:55Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-14T13:39:55Z	INFO	Secret scanning is enabled
2024-06-14T13:39:55Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-14T13:39:55Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-14T13:39:57Z	INFO	Number of language-specific files	num=0
2024-06-14T13:39:57Z	INFO	Detected config files	num=27

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_iam.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:52
   via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  49   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  50     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  51   
  52 [   cidr_ipv4   = "0.0.0.0/0"
  53     ip_protocol = "tcp"
  54     from_port   = 0
  55     to_port     = 65535
  56     description = "Required ports open for Glue-RDS-Connection"
  57   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88/main.tf (terraform)
=======================================================================================================
Tests: 8 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_iam.tf (terraform)
=======================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_iam.tf (terraform)
==========================
Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 30 (SUCCESSES: 12, FAILURES: 0, EXCEPTIONS: 18)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/landing_zone/main.tf:40-48
   via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  40resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
  41 │   bucket = aws_s3_bucket.landing_bucket.id
  4243 │   rule {
  44 │     apply_server_side_encryption_by_default {
  45 │       sse_algorithm = "AES256"
  46 │     }
  47 │   }
  48 └ }
────────────────────────────────────────



modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 28 (SUCCESSES: 24, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via register-my-data.tf:47-54 (module.ap_export_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via modules/landing_zone/main.tf:108-118 (module.log_bucket)
    via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via unzipped-s3-store.tf:1-7 (module.unzipped_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



parquet-to-csv.tf (terraform)
=============================
Tests: 15 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 2)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 parquet-to-csv.tf:25-33
────────────────────────────────────────
  25resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
  26 │   bucket = aws_s3_bucket.csv-output-bucket.id
  2728 │   rule {
  29 │     apply_server_side_encryption_by_default {
  30 │       sse_algorithm = "AES256"
  31 │     }
  32 │   }
  33 └ }
────────────────────────────────────────



register-my-data.tf (terraform)
===============================
Tests: 9 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 register-my-data.tf:92-100
────────────────────────────────────────
  92resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
  93 │   bucket = aws_s3_bucket.ap_export_bucket.id
  9495 │   rule {
  96 │     apply_server_side_encryption_by_default {
  97 │       sse_algorithm = "AES256"
  98 │     }
  99 │   }
 100 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 10 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 10)
Failures: 0 (HIGH: 0, CRITICAL: 0)


unzipped-s3-store.tf (terraform)
================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 unzipped-s3-store.tf:15-23
────────────────────────────────────────
  15resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
  16 │   bucket = aws_s3_bucket.unzipped_store.id
  1718 │   rule {
  19 │     apply_server_side_encryption_by_default {
  20 │       sse_algorithm = "AES256"
  21 │     }
  22 │   }
  23 └ }
────────────────────────────────────────


trivy_exitcode=1

@matt-heery matt-heery had a problem deploying to electronic-monitoring-data-development June 14, 2024 13:44 — with GitHub Actions Failure
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-14T13:44:43Z INFO Need to update DB
2024-06-14T13:44:43Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-14T13:44:45Z INFO Vulnerability scanning is enabled
2024-06-14T13:44:45Z INFO Misconfiguration scanning is enabled
2024-06-14T13:44:45Z INFO Need to update the built-in policies
2024-06-14T13:44:45Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-14T13:44:45Z INFO Secret scanning is enabled
2024-06-14T13:44:45Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-14T13:44:45Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-14T13:44:48Z INFO Number of language-specific files num=0
2024-06-14T13:44:48Z INFO Detected config files num=27

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:52
via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
49 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
50 security_group_id = aws_security_group.glue_rds_conn_security_group.id
51
52 [ cidr_ipv4 = "0.0.0.0/0"
53 ip_protocol = "tcp"
54 from_port = 0
55 to_port = 65535
56 description = "Required ports open for Glue-RDS-Connection"
57 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_iam.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_iam.tf (terraform)

Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 30 (SUCCESSES: 12, FAILURES: 0, EXCEPTIONS: 18)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/landing_zone/main.tf:40-48
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
41 │ bucket = aws_s3_bucket.landing_bucket.id
42 │
43 │ rule {
44 │ apply_server_side_encryption_by_default {
45 │ sse_algorithm = "AES256"
46 │ }
47 │ }
48 └ }
────────────────────────────────────────

modules/s3_log_bucket/main.tf (terraform)

Tests: 28 (SUCCESSES: 24, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via register-my-data.tf:47-54 (module.ap_export_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via modules/landing_zone/main.tf:108-118 (module.log_bucket)
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via unzipped-s3-store.tf:1-7 (module.unzipped_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

parquet-to-csv.tf (terraform)

Tests: 15 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 2)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
parquet-to-csv.tf:25-33
────────────────────────────────────────
25 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
26 │ bucket = aws_s3_bucket.csv-output-bucket.id
27 │
28 │ rule {
29 │ apply_server_side_encryption_by_default {
30 │ sse_algorithm = "AES256"
31 │ }
32 │ }
33 └ }
────────────────────────────────────────

register-my-data.tf (terraform)

Tests: 9 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
register-my-data.tf:92-100
────────────────────────────────────────
92 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
93 │ bucket = aws_s3_bucket.ap_export_bucket.id
94 │
95 │ rule {
96 │ apply_server_side_encryption_by_default {
97 │ sse_algorithm = "AES256"
98 │ }
99 │ }
100 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 10 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 10)
Failures: 0 (HIGH: 0, CRITICAL: 0)

unzipped-s3-store.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
unzipped-s3-store.tf:15-23
────────────────────────────────────────
15 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
16 │ bucket = aws_s3_bucket.unzipped_store.id
17 │
18 │ rule {
19 │ apply_server_side_encryption_by_default {
20 │ sse_algorithm = "AES256"
21 │ }
22 │ }
23 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-14 13:44:50,305 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88:None (for external modules, the --download-external-modules flag is required)
2024-06-14 13:44:50,305 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1334, Failed checks: 137, Skipped checks: 6

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job
	File: /dms_data_validation_glue_job.tf:91-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		91  | resource "aws_glue_job" "dms_dv_glue_job" {
		92  |   name         = "dms-dv-glue-job"
		93  |   description  = "DMS Data Validation Glue-Job (PySpark)."
		94  |   role_arn     = aws_iam_role.dms_dv_glue_job_iam_role.arn
		95  |   glue_version = "4.0"
		96  |   default_arguments = {
		97  |     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"
		98  |     "--rds_db_host_ep"                   = split(":", aws_db_instance.database_2022.endpoint)[0]
		99  |     "--rds_db_pwd"                       = aws_db_instance.database_2022.password
		100 |     "--rds_sqlserver_db"                 = ""
		101 |     "--rds_sqlserver_db_schema"          = ""
		102 |     "--rds_sqlserver_tbls"               = ""
		103 |     "--trim_rds_df_str_columns"          = "false"
		104 |     "--repartition_factor"               = 8
		105 |     "--max_table_size_mb"                = 2000
		106 |     "--parquet_src_bucket_name"          = aws_s3_bucket.dms_target_ep_s3_bucket.id
		107 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		108 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		109 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		110 |     "--continuous-log-logGroup"          = "/aws-glue/jobs/${aws_cloudwatch_log_group.dms_dv_cw_log_group.name}"
		111 |     "--enable-continuous-cloudwatch-log" = "true"
		112 |     "--enable-continuous-log-filter"     = "true"
		113 |     "--enable-spark-ui"                  = "true"
		114 |     "--spark-event-logs-path"            = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/spark_logs/"
		115 |     "--enable-metrics"                   = "true"
		116 |     "--enable-auto-scaling"              = "true"
		117 |     "--conf"                             = "spark.memory.offHeap.enabled=true --conf spark.memory.offHeap.size=1g --conf spark.sql.adaptive.enabled=true --conf spark.sql.adaptive.coalescePartitions.enabled=true --conf spark.sql.adaptive.skewJoin.enabled=true --conf spark.sql.legacy.parquet.datetimeRebaseModeInRead=CORRECTED"
		118 |   }
		119 | 
		120 |   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]
		121 |   command {
		122 |     python_version  = "3"
		123 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/dms_dv_rds_and_s3_parquet_write.py"
		124 |   }
		125 | 
		126 |   tags = merge(
		127 |     local.tags,
		128 |     {
		129 |       Resource_Type = "Glue-Job that processes data sourced from both RDS and S3",
		130 |     }
		131 |   )
		132 | 
		133 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:136-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		136 | resource "aws_glue_job" "dms_dv_glue_job_v2" {
		137 |   name              = "dms-dv-glue-job-v2"
		138 |   description       = "DMS Data Validation Glue-Job (PySpark)."
		139 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		140 |   glue_version      = "4.0"
		141 |   worker_type       = "G.1X"
		142 |   number_of_workers = 5
		143 |   default_arguments = {
		144 |     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"
		145 |     "--rds_db_host_ep"                   = split(":", aws_db_instance.database_2022.endpoint)[0]
		146 |     "--rds_db_pwd"                       = aws_db_instance.database_2022.password
		147 |     "--rds_sqlserver_db"                 = ""
		148 |     "--rds_sqlserver_db_schema"          = ""
		149 |     "--exclude_rds_db_tbls"              = ""
		150 |     "--select_rds_db_tbls"               = ""
		151 |     "--trim_rds_df_str_columns"          = "false"
		152 |     "--repartition_factor"               = 8
		153 |     "--max_table_size_mb"                = 2000
		154 |     "--transformed_column_list_1"        = ""
		155 |     "--rds_tbl_col_replace_char_1"       = ""
		156 |     "--parquet_src_bucket_name"          = aws_s3_bucket.dms_target_ep_s3_bucket.id
		157 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		158 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		159 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		160 |     "--continuous-log-logGroup"          = "/aws-glue/jobs/${aws_cloudwatch_log_group.dms_dv_cw_log_group.name}"
		161 |     "--enable-continuous-cloudwatch-log" = "true"
		162 |     "--enable-continuous-log-filter"     = "true"
		163 |     "--enable-spark-ui"                  = "true"
		164 |     "--spark-event-logs-path"            = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/spark_logs/"
		165 |     "--enable-metrics"                   = "true"
		166 |     "--enable-auto-scaling"              = "true"
		167 |     "--conf"                             = "spark.memory.offHeap.enabled=true --conf spark.memory.offHeap.size=1g --conf spark.sql.adaptive.enabled=true --conf spark.sql.adaptive.coalescePartitions.enabled=true --conf spark.sql.adaptive.skewJoin.enabled=true --conf spark.sql.legacy.parquet.datetimeRebaseModeInRead=CORRECTED"
		168 |   }
		169 | 
		170 |   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]
		171 |   command {
		172 |     python_version  = "3"
		173 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/dms_dv_rds_and_s3_parquet_write_v2.py"
		174 |   }
		175 | 
		176 |   tags = merge(
		177 |     local.tags,
		178 |     {
		179 |       Resource_Type = "Glue-Job that processes data sourced from both RDS and S3",
		180 |     }
		181 |   )
		182 | 
		183 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:186-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		186 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		187 |   name              = "catalog-dv-table-glue-job"
		188 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		189 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		190 |   glue_version      = "4.0"
		191 |   worker_type       = "G.1X"
		192 |   number_of_workers = 2
		193 |   default_arguments = {
		194 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		195 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		196 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		197 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		198 |     "--enable-continuous-cloudwatch-log" = "true"
		199 |     "--enable-continuous-log-filter"     = "true"
		200 |     "--enable-metrics"                   = ""
		201 |   }
		202 |   command {
		203 |     python_version  = "3"
		204 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     local.tags,
		209 |     {
		210 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		211 |     }
		212 |   )
		213 | 
		214 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.get_glue_tables
	File: /lambdas_iam.tf:344-354
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		344 | data "aws_iam_policy_document" "get_glue_tables" {
		345 |     statement {
		346 |         effect = "Allow"
		347 |         actions = [
		348 |             "glue:GetTable",
		349 |             "glue:GetTables",
		350 |             "glue:GetDatabase"
		351 |         ]
		352 |         resources = ["*"]
		353 |     }
		354 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_cap_dw"].aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_cap_dw"].aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet-to-csv
	File: /parquet-to-csv.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		61 | resource "aws_cloudwatch_log_group" "parquet-to-csv" {
		62 |   name              = "parquet-to-csv"
		63 |   retention_in_days = 14
		64 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet-to-csv
	File: /parquet-to-csv.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "parquet-to-csv" {
		62 |   name              = "parquet-to-csv"
		63 |   retention_in_days = 14
		64 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet-to-csv
	File: /parquet-to-csv.tf:66-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		66 | resource "aws_glue_job" "parquet-to-csv" {
		67 |   name         = "parquet-to-csv"
		68 |   role_arn     = aws_iam_role.parquet-to-csv.arn
		69 |   glue_version = "4.0"
		70 |   default_arguments = {
		71 |     "--destination_bucket"               = aws_s3_bucket.csv-output-bucket.id
		72 |     "--source_bucket"                    = aws_s3_bucket.dms_target_ep_s3_bucket.id
		73 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.parquet-to-csv.name
		74 |     "--enable-continuous-cloudwatch-log" = "true"
		75 |     "--enable-continuous-log-filter"     = "true"
		76 |     "--enable-metrics"                   = ""
		77 |   }
		78 | 
		79 |   command {
		80 |     python_version  = "3"
		81 |     script_location = "s3://${aws_s3_bucket.glue-jobs.id}/parquet_to_csv.py"
		82 |   }
		83 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.parquet-to-csv
	File: /parquet-to-csv.tf:101-136
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		101 | data "aws_iam_policy_document" "parquet-to-csv" {
		102 |   statement {
		103 |     effect = "Allow"
		104 |     actions = [
		105 |       "s3:GetObject",
		106 |       "s3:ListBucket"
		107 |     ]
		108 |     resources = ["${aws_s3_bucket.glue-jobs.arn}/*", aws_s3_bucket.glue-jobs.arn, "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}/*", aws_s3_bucket.dms_target_ep_s3_bucket.arn]
		109 |   }
		110 |   statement {
		111 |     effect = "Allow"
		112 |     actions = [
		113 |       "s3:PutObject",
		114 |       "s3:DeleteObject",
		115 |       "s3:ListBucket"
		116 |     ]
		117 |     resources = [aws_s3_bucket.csv-output-bucket.arn, "${aws_s3_bucket.csv-output-bucket.arn}/*"]
		118 |   }
		119 |   statement {
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "glue:GetConnection",
		123 |       "glue:GetConnections",
		124 |       "glue:GetDatabase",
		125 |       "glue:GetDatabases",
		126 |       "glue:GetJob",
		127 |       "glue:GetJobs",
		128 |       "glue:GetPartition",
		129 |       "glue:GetPartitions",
		130 |       "glue:GetTable",
		131 |       "glue:GetTables",
		132 | 
		133 |     ]
		134 |     resources = ["*"]
		135 |   }
		136 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = <<EOF
		6  | {
		7  |   "StartAt": "GetMetadataList",
		8  |   "States": {
		9  |     "GetMetadataList": {
		10 |       "Type": "Task",
		11 |       "Resource": "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |       "ResultPath": "$.metadata_list",
		13 |       "Next": "LoopThroughMetadataList"
		14 |     },
		15 |     "LoopThroughMetadataList": {
		16 |       "Type": "Map",
		17 |       "ItemsPath": "$.metadata_list.metadata_list",
		18 |       "MaxConcurrency": 4,
		19 |       "Iterator": {
		20 |         "StartAt": "CreateAthenaTable",
		21 |         "States": {
		22 |           "CreateAthenaTable": {
		23 |             "Type": "Task",
		24 |             "Resource": "${module.create_athena_table.lambda_function_arn}",
		25 |             "ResultPath": "$.result",
		26 |             "End": true
		27 |           }
		28 |         }
		29 |       },
		30 |       "End": true
		31 |     }
		32 |   }
		33 | }
		34 | EOF
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = <<EOF
		6  | {
		7  |   "StartAt": "GetMetadataList",
		8  |   "States": {
		9  |     "GetMetadataList": {
		10 |       "Type": "Task",
		11 |       "Resource": "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |       "ResultPath": "$.metadata_list",
		13 |       "Next": "LoopThroughMetadataList"
		14 |     },
		15 |     "LoopThroughMetadataList": {
		16 |       "Type": "Map",
		17 |       "ItemsPath": "$.metadata_list.metadata_list",
		18 |       "MaxConcurrency": 4,
		19 |       "Iterator": {
		20 |         "StartAt": "CreateAthenaTable",
		21 |         "States": {
		22 |           "CreateAthenaTable": {
		23 |             "Type": "Task",
		24 |             "Resource": "${module.create_athena_table.lambda_function_arn}",
		25 |             "ResultPath": "$.result",
		26 |             "End": true
		27 |           }
		28 |         }
		29 |       },
		30 |       "End": true
		31 |     }
		32 |   }
		33 | }
		34 | EOF
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-151
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-151
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_emsys_mvp"].aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_emsys_mvp"].aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.ap_export_bucket
	File: /register-my-data.tf:84-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		84 | resource "aws_s3_bucket_ownership_controls" "ap_export_bucket" {
		85 |   bucket = aws_s3_bucket.ap_export_bucket.id
		86 | 
		87 |   rule {
		88 |     object_ownership = "BucketOwnerPreferred"
		89 |   }
		90 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:36-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		36 | resource "aws_security_group" "glue_rds_conn_security_group" {
		37 |   name        = "glue-rds-sqlserver-connection-tf"
		38 |   description = "Secuity Group for Glue-RDS-Connection"
		39 |   vpc_id      = data.aws_vpc.shared.id
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.data_store
	File: /data_store.tf:23-31

		23 | resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
		24 |   bucket = aws_s3_bucket.data_store.id
		25 | 
		26 |   rule {
		27 |     apply_server_side_encryption_by_default {
		28 |       sse_algorithm = "AES256"
		29 |     }
		30 |   }
		31 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.g4s.aws_s3_bucket_server_side_encryption_configuration.landing_bucket
	File: /modules/landing_zone/main.tf:40-48

		40 | resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
		41 |   bucket = aws_s3_bucket.landing_bucket.id
		42 | 
		43 |   rule {
		44 |     apply_server_side_encryption_by_default {
		45 |       sse_algorithm = "AES256"
		46 |     }
		47 |   }
		48 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.csv-output-bucket
	File: /parquet-to-csv.tf:25-33

		25 | resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
		26 |   bucket = aws_s3_bucket.csv-output-bucket.id
		27 | 
		28 |   rule {
		29 |     apply_server_side_encryption_by_default {
		30 |       sse_algorithm = "AES256"
		31 |     }
		32 |   }
		33 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.ap_export_bucket
	File: /register-my-data.tf:92-100

		92  | resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
		93  |   bucket = aws_s3_bucket.ap_export_bucket.id
		94  | 
		95  |   rule {
		96  |     apply_server_side_encryption_by_default {
		97  |       sse_algorithm = "AES256"
		98  |     }
		99  |   }
		100 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.unzipped_store
	File: /unzipped-s3-store.tf:15-23

		15 | resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
		16 |   bucket = aws_s3_bucket.unzipped_store.id
		17 | 
		18 |   rule {
		19 |     apply_server_side_encryption_by_default {
		20 |       sse_algorithm = "AES256"
		21 |     }
		22 |   }
		23 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
10 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 97:
  97:     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 108:
 108:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 120:
 120:   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 144:
 144:     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 158:
 158:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 170:
 170:   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 195:
 195:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 189:
 189: data "archive_file" "get_tables_from_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-14T13:44:43Z	INFO	Need to update DB
2024-06-14T13:44:43Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-14T13:44:45Z	INFO	Vulnerability scanning is enabled
2024-06-14T13:44:45Z	INFO	Misconfiguration scanning is enabled
2024-06-14T13:44:45Z	INFO	Need to update the built-in policies
2024-06-14T13:44:45Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-14T13:44:45Z	INFO	Secret scanning is enabled
2024-06-14T13:44:45Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-14T13:44:45Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-14T13:44:48Z	INFO	Number of language-specific files	num=0
2024-06-14T13:44:48Z	INFO	Detected config files	num=27

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_iam.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:52
   via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  49   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  50     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  51   
  52 [   cidr_ipv4   = "0.0.0.0/0"
  53     ip_protocol = "tcp"
  54     from_port   = 0
  55     to_port     = 65535
  56     description = "Required ports open for Glue-RDS-Connection"
  57   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88/main.tf (terraform)
=======================================================================================================
Tests: 8 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_iam.tf (terraform)
=======================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_iam.tf (terraform)
==========================
Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 30 (SUCCESSES: 12, FAILURES: 0, EXCEPTIONS: 18)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/landing_zone/main.tf:40-48
   via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  40resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
  41 │   bucket = aws_s3_bucket.landing_bucket.id
  4243 │   rule {
  44 │     apply_server_side_encryption_by_default {
  45 │       sse_algorithm = "AES256"
  46 │     }
  47 │   }
  48 └ }
────────────────────────────────────────



modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 28 (SUCCESSES: 24, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via register-my-data.tf:47-54 (module.ap_export_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via modules/landing_zone/main.tf:108-118 (module.log_bucket)
    via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via unzipped-s3-store.tf:1-7 (module.unzipped_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



parquet-to-csv.tf (terraform)
=============================
Tests: 15 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 2)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 parquet-to-csv.tf:25-33
────────────────────────────────────────
  25resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
  26 │   bucket = aws_s3_bucket.csv-output-bucket.id
  2728 │   rule {
  29 │     apply_server_side_encryption_by_default {
  30 │       sse_algorithm = "AES256"
  31 │     }
  32 │   }
  33 └ }
────────────────────────────────────────



register-my-data.tf (terraform)
===============================
Tests: 9 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 register-my-data.tf:92-100
────────────────────────────────────────
  92resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
  93 │   bucket = aws_s3_bucket.ap_export_bucket.id
  9495 │   rule {
  96 │     apply_server_side_encryption_by_default {
  97 │       sse_algorithm = "AES256"
  98 │     }
  99 │   }
 100 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 10 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 10)
Failures: 0 (HIGH: 0, CRITICAL: 0)


unzipped-s3-store.tf (terraform)
================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 unzipped-s3-store.tf:15-23
────────────────────────────────────────
  15resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
  16 │   bucket = aws_s3_bucket.unzipped_store.id
  1718 │   rule {
  19 │     apply_server_side_encryption_by_default {
  20 │       sse_algorithm = "AES256"
  21 │     }
  22 │   }
  23 └ }
────────────────────────────────────────


trivy_exitcode=1

@matt-heery matt-heery had a problem deploying to electronic-monitoring-data-development June 14, 2024 13:52 — with GitHub Actions Failure
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-14T13:53:12Z INFO Need to update DB
2024-06-14T13:53:12Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-14T13:53:14Z INFO Vulnerability scanning is enabled
2024-06-14T13:53:14Z INFO Misconfiguration scanning is enabled
2024-06-14T13:53:14Z INFO Need to update the built-in policies
2024-06-14T13:53:14Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-14T13:53:14Z INFO Secret scanning is enabled
2024-06-14T13:53:14Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-14T13:53:14Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-14T13:53:16Z INFO Number of language-specific files num=0
2024-06-14T13:53:16Z INFO Detected config files num=27

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:52
via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
49 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
50 security_group_id = aws_security_group.glue_rds_conn_security_group.id
51
52 [ cidr_ipv4 = "0.0.0.0/0"
53 ip_protocol = "tcp"
54 from_port = 0
55 to_port = 65535
56 description = "Required ports open for Glue-RDS-Connection"
57 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_iam.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_iam.tf (terraform)

Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 30 (SUCCESSES: 12, FAILURES: 0, EXCEPTIONS: 18)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/landing_zone/main.tf:40-48
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
41 │ bucket = aws_s3_bucket.landing_bucket.id
42 │
43 │ rule {
44 │ apply_server_side_encryption_by_default {
45 │ sse_algorithm = "AES256"
46 │ }
47 │ }
48 └ }
────────────────────────────────────────

modules/s3_log_bucket/main.tf (terraform)

Tests: 28 (SUCCESSES: 24, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via register-my-data.tf:47-54 (module.ap_export_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via modules/landing_zone/main.tf:108-118 (module.log_bucket)
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via unzipped-s3-store.tf:1-7 (module.unzipped_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

parquet-to-csv.tf (terraform)

Tests: 15 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 2)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
parquet-to-csv.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "glue-jobs" {
2 │ bucket_prefix = "glue-jobs-"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
parquet-to-csv.tf:25-33
────────────────────────────────────────
25 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
26 │ bucket = aws_s3_bucket.csv-output-bucket.id
27 │
28 │ rule {
29 │ apply_server_side_encryption_by_default {
30 │ sse_algorithm = "AES256"
31 │ }
32 │ }
33 └ }
────────────────────────────────────────

register-my-data.tf (terraform)

Tests: 9 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
register-my-data.tf:92-100
────────────────────────────────────────
92 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
93 │ bucket = aws_s3_bucket.ap_export_bucket.id
94 │
95 │ rule {
96 │ apply_server_side_encryption_by_default {
97 │ sse_algorithm = "AES256"
98 │ }
99 │ }
100 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 10 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 10)
Failures: 0 (HIGH: 0, CRITICAL: 0)

unzipped-s3-store.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
unzipped-s3-store.tf:15-23
────────────────────────────────────────
15 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
16 │ bucket = aws_s3_bucket.unzipped_store.id
17 │
18 │ rule {
19 │ apply_server_side_encryption_by_default {
20 │ sse_algorithm = "AES256"
21 │ }
22 │ }
23 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-14 13:53:19,232 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88:None (for external modules, the --download-external-modules flag is required)
2024-06-14 13:53:19,232 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1334, Failed checks: 137, Skipped checks: 6

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job
	File: /dms_data_validation_glue_job.tf:91-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		91  | resource "aws_glue_job" "dms_dv_glue_job" {
		92  |   name         = "dms-dv-glue-job"
		93  |   description  = "DMS Data Validation Glue-Job (PySpark)."
		94  |   role_arn     = aws_iam_role.dms_dv_glue_job_iam_role.arn
		95  |   glue_version = "4.0"
		96  |   default_arguments = {
		97  |     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"
		98  |     "--rds_db_host_ep"                   = split(":", aws_db_instance.database_2022.endpoint)[0]
		99  |     "--rds_db_pwd"                       = aws_db_instance.database_2022.password
		100 |     "--rds_sqlserver_db"                 = ""
		101 |     "--rds_sqlserver_db_schema"          = ""
		102 |     "--rds_sqlserver_tbls"               = ""
		103 |     "--trim_rds_df_str_columns"          = "false"
		104 |     "--repartition_factor"               = 8
		105 |     "--max_table_size_mb"                = 2000
		106 |     "--parquet_src_bucket_name"          = aws_s3_bucket.dms_target_ep_s3_bucket.id
		107 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		108 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		109 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		110 |     "--continuous-log-logGroup"          = "/aws-glue/jobs/${aws_cloudwatch_log_group.dms_dv_cw_log_group.name}"
		111 |     "--enable-continuous-cloudwatch-log" = "true"
		112 |     "--enable-continuous-log-filter"     = "true"
		113 |     "--enable-spark-ui"                  = "true"
		114 |     "--spark-event-logs-path"            = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/spark_logs/"
		115 |     "--enable-metrics"                   = "true"
		116 |     "--enable-auto-scaling"              = "true"
		117 |     "--conf"                             = "spark.memory.offHeap.enabled=true --conf spark.memory.offHeap.size=1g --conf spark.sql.adaptive.enabled=true --conf spark.sql.adaptive.coalescePartitions.enabled=true --conf spark.sql.adaptive.skewJoin.enabled=true --conf spark.sql.legacy.parquet.datetimeRebaseModeInRead=CORRECTED"
		118 |   }
		119 | 
		120 |   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]
		121 |   command {
		122 |     python_version  = "3"
		123 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/dms_dv_rds_and_s3_parquet_write.py"
		124 |   }
		125 | 
		126 |   tags = merge(
		127 |     local.tags,
		128 |     {
		129 |       Resource_Type = "Glue-Job that processes data sourced from both RDS and S3",
		130 |     }
		131 |   )
		132 | 
		133 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:136-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		136 | resource "aws_glue_job" "dms_dv_glue_job_v2" {
		137 |   name              = "dms-dv-glue-job-v2"
		138 |   description       = "DMS Data Validation Glue-Job (PySpark)."
		139 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		140 |   glue_version      = "4.0"
		141 |   worker_type       = "G.1X"
		142 |   number_of_workers = 5
		143 |   default_arguments = {
		144 |     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"
		145 |     "--rds_db_host_ep"                   = split(":", aws_db_instance.database_2022.endpoint)[0]
		146 |     "--rds_db_pwd"                       = aws_db_instance.database_2022.password
		147 |     "--rds_sqlserver_db"                 = ""
		148 |     "--rds_sqlserver_db_schema"          = ""
		149 |     "--exclude_rds_db_tbls"              = ""
		150 |     "--select_rds_db_tbls"               = ""
		151 |     "--trim_rds_df_str_columns"          = "false"
		152 |     "--repartition_factor"               = 8
		153 |     "--max_table_size_mb"                = 2000
		154 |     "--transformed_column_list_1"        = ""
		155 |     "--rds_tbl_col_replace_char_1"       = ""
		156 |     "--parquet_src_bucket_name"          = aws_s3_bucket.dms_target_ep_s3_bucket.id
		157 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		158 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		159 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		160 |     "--continuous-log-logGroup"          = "/aws-glue/jobs/${aws_cloudwatch_log_group.dms_dv_cw_log_group.name}"
		161 |     "--enable-continuous-cloudwatch-log" = "true"
		162 |     "--enable-continuous-log-filter"     = "true"
		163 |     "--enable-spark-ui"                  = "true"
		164 |     "--spark-event-logs-path"            = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/spark_logs/"
		165 |     "--enable-metrics"                   = "true"
		166 |     "--enable-auto-scaling"              = "true"
		167 |     "--conf"                             = "spark.memory.offHeap.enabled=true --conf spark.memory.offHeap.size=1g --conf spark.sql.adaptive.enabled=true --conf spark.sql.adaptive.coalescePartitions.enabled=true --conf spark.sql.adaptive.skewJoin.enabled=true --conf spark.sql.legacy.parquet.datetimeRebaseModeInRead=CORRECTED"
		168 |   }
		169 | 
		170 |   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]
		171 |   command {
		172 |     python_version  = "3"
		173 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/dms_dv_rds_and_s3_parquet_write_v2.py"
		174 |   }
		175 | 
		176 |   tags = merge(
		177 |     local.tags,
		178 |     {
		179 |       Resource_Type = "Glue-Job that processes data sourced from both RDS and S3",
		180 |     }
		181 |   )
		182 | 
		183 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:186-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		186 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		187 |   name              = "catalog-dv-table-glue-job"
		188 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		189 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		190 |   glue_version      = "4.0"
		191 |   worker_type       = "G.1X"
		192 |   number_of_workers = 2
		193 |   default_arguments = {
		194 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		195 |     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"
		196 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		197 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		198 |     "--enable-continuous-cloudwatch-log" = "true"
		199 |     "--enable-continuous-log-filter"     = "true"
		200 |     "--enable-metrics"                   = ""
		201 |   }
		202 |   command {
		203 |     python_version  = "3"
		204 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		205 |   }
		206 | 
		207 |   tags = merge(
		208 |     local.tags,
		209 |     {
		210 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		211 |     }
		212 |   )
		213 | 
		214 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.get_glue_tables
	File: /lambdas_iam.tf:344-354
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		344 | data "aws_iam_policy_document" "get_glue_tables" {
		345 |     statement {
		346 |         effect = "Allow"
		347 |         actions = [
		348 |             "glue:GetTable",
		349 |             "glue:GetTables",
		350 |             "glue:GetDatabase"
		351 |         ]
		352 |         resources = ["*"]
		353 |     }
		354 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_cap_dw"].aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_cap_dw"].aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.parquet-to-csv
	File: /parquet-to-csv.tf:101-136
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		101 | data "aws_iam_policy_document" "parquet-to-csv" {
		102 |   statement {
		103 |     effect = "Allow"
		104 |     actions = [
		105 |       "s3:GetObject",
		106 |       "s3:ListBucket"
		107 |     ]
		108 |     resources = ["${aws_s3_bucket.glue-jobs.arn}/*", aws_s3_bucket.glue-jobs.arn, "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}/*", aws_s3_bucket.dms_target_ep_s3_bucket.arn]
		109 |   }
		110 |   statement {
		111 |     effect = "Allow"
		112 |     actions = [
		113 |       "s3:PutObject",
		114 |       "s3:DeleteObject",
		115 |       "s3:ListBucket"
		116 |     ]
		117 |     resources = [aws_s3_bucket.csv-output-bucket.arn, "${aws_s3_bucket.csv-output-bucket.arn}/*"]
		118 |   }
		119 |   statement {
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "glue:GetConnection",
		123 |       "glue:GetConnections",
		124 |       "glue:GetDatabase",
		125 |       "glue:GetDatabases",
		126 |       "glue:GetJob",
		127 |       "glue:GetJobs",
		128 |       "glue:GetPartition",
		129 |       "glue:GetPartitions",
		130 |       "glue:GetTable",
		131 |       "glue:GetTables",
		132 | 
		133 |     ]
		134 |     resources = ["*"]
		135 |   }
		136 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet-to-csv
	File: /parquet-to-csv.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		61 | resource "aws_cloudwatch_log_group" "parquet-to-csv" {
		62 |   name              = "parquet-to-csv"
		63 |   retention_in_days = 14
		64 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet-to-csv
	File: /parquet-to-csv.tf:61-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		61 | resource "aws_cloudwatch_log_group" "parquet-to-csv" {
		62 |   name              = "parquet-to-csv"
		63 |   retention_in_days = 14
		64 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet-to-csv
	File: /parquet-to-csv.tf:66-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		66 | resource "aws_glue_job" "parquet-to-csv" {
		67 |   name         = "parquet-to-csv"
		68 |   role_arn     = aws_iam_role.parquet-to-csv.arn
		69 |   glue_version = "4.0"
		70 |   default_arguments = {
		71 |     "--destination_bucket"               = aws_s3_bucket.csv-output-bucket.id
		72 |     "--source_bucket"                    = aws_s3_bucket.dms_target_ep_s3_bucket.id
		73 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.parquet-to-csv.name
		74 |     "--enable-continuous-cloudwatch-log" = "true"
		75 |     "--enable-continuous-log-filter"     = "true"
		76 |     "--enable-metrics"                   = ""
		77 |   }
		78 | 
		79 |   command {
		80 |     python_version  = "3"
		81 |     script_location = "s3://${aws_s3_bucket.glue-jobs.id}/parquet_to_csv.py"
		82 |   }
		83 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.em_ap_transfer_lambda
	File: /register-my-data.tf:154-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		154 | resource "aws_lambda_function" "em_ap_transfer_lambda" {
		155 |   filename      = "lambdas/send_table_to_ap.zip"
		156 |   function_name = "em-ap-transfer-lambda"
		157 |   role          = aws_iam_role.em_ap_transfer_lambda.arn
		158 |   handler       = "em_ap_transfer_lambda.handler"
		159 |   runtime       = "python3.12"
		160 |   memory_size   = 4096
		161 |   timeout       = 900
		162 |   environment {
		163 |     variables = {
		164 |       "REG_BUCKET_NAME" = local.register_my_data_bucket
		165 |     }
		166 |   }
		167 |   source_code_hash = data.archive_file.em_ap_transfer_lambda.output_base64sha256
		168 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt": "GetMetadataList",
		8  |       "States": {
		9  |         "GetMetadataList": {
		10 |           "Type": "Task",
		11 |           "Resource": "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath": "$.metadata_list",
		13 |           "Next": "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList": {
		16 |           "Type": "Map",
		17 |           "ItemsPath": "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency": 4,
		19 |           "Iterator": {
		20 |             "StartAt": "CreateAthenaTable",
		21 |             "States": {
		22 |               "CreateAthenaTable": {
		23 |                 "Type": "Task",
		24 |                 "Resource": "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath": "$.result",
		26 |                 "End": true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End": true
		31 |         }
		32 |       }
		33 |     }
		34 | )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt": "GetMetadataList",
		8  |       "States": {
		9  |         "GetMetadataList": {
		10 |           "Type": "Task",
		11 |           "Resource": "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath": "$.metadata_list",
		13 |           "Next": "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList": {
		16 |           "Type": "Map",
		17 |           "ItemsPath": "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency": 4,
		19 |           "Iterator": {
		20 |             "StartAt": "CreateAthenaTable",
		21 |             "States": {
		22 |               "CreateAthenaTable": {
		23 |                 "Type": "Task",
		24 |                 "Resource": "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath": "$.result",
		26 |                 "End": true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End": true
		31 |         }
		32 |       }
		33 |     }
		34 | )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-149
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-149
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_emsys_mvp"].aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task["g4s_emsys_mvp"].aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.ap_export_bucket
	File: /register-my-data.tf:84-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		84 | resource "aws_s3_bucket_ownership_controls" "ap_export_bucket" {
		85 |   bucket = aws_s3_bucket.ap_export_bucket.id
		86 | 
		87 |   rule {
		88 |     object_ownership = "BucketOwnerPreferred"
		89 |   }
		90 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:36-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		36 | resource "aws_security_group" "glue_rds_conn_security_group" {
		37 |   name        = "glue-rds-sqlserver-connection-tf"
		38 |   description = "Secuity Group for Glue-RDS-Connection"
		39 |   vpc_id      = data.aws_vpc.shared.id
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ap_export_bucket
	File: /register-my-data.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		7 | resource "aws_s3_bucket" "ap_export_bucket" {
		8 |   bucket_prefix = "ap-export-bucket-"
		9 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.unzipped_store
	File: /unzipped-s3-store.tf:9-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		9  | resource "aws_s3_bucket" "unzipped_store" {
		10 |   bucket_prefix = "em-unzipped-data-store-"
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.glue-jobs
	File: /parquet-to-csv.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "glue-jobs" {
		2 |   bucket_prefix = "glue-jobs-"
		3 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.csv-output-bucket
	File: /parquet-to-csv.tf:13-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		13 | resource "aws_s3_bucket" "csv-output-bucket" {
		14 |   bucket_prefix = "data-to-ap-"
		15 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.data_store
	File: /data_store.tf:23-31

		23 | resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
		24 |   bucket = aws_s3_bucket.data_store.id
		25 | 
		26 |   rule {
		27 |     apply_server_side_encryption_by_default {
		28 |       sse_algorithm = "AES256"
		29 |     }
		30 |   }
		31 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.g4s.aws_s3_bucket_server_side_encryption_configuration.landing_bucket
	File: /modules/landing_zone/main.tf:40-48

		40 | resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
		41 |   bucket = aws_s3_bucket.landing_bucket.id
		42 | 
		43 |   rule {
		44 |     apply_server_side_encryption_by_default {
		45 |       sse_algorithm = "AES256"
		46 |     }
		47 |   }
		48 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.ap_export_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.csv-output-bucket
	File: /parquet-to-csv.tf:25-33

		25 | resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
		26 |   bucket = aws_s3_bucket.csv-output-bucket.id
		27 | 
		28 |   rule {
		29 |     apply_server_side_encryption_by_default {
		30 |       sse_algorithm = "AES256"
		31 |     }
		32 |   }
		33 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.ap_export_bucket
	File: /register-my-data.tf:92-100

		92  | resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
		93  |   bucket = aws_s3_bucket.ap_export_bucket.id
		94  | 
		95  |   rule {
		96  |     apply_server_side_encryption_by_default {
		97  |       sse_algorithm = "AES256"
		98  |     }
		99  |   }
		100 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.unzipped_store
	File: /unzipped-s3-store.tf:15-23

		15 | resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
		16 |   bucket = aws_s3_bucket.unzipped_store.id
		17 | 
		18 |   rule {
		19 |     apply_server_side_encryption_by_default {
		20 |       sse_algorithm = "AES256"
		21 |     }
		22 |   }
		23 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 97:
  97:     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 108:
 108:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 120:
 120:   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 144:
 144:     "--script_bucket_name"               = "${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 158:
 158:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 170:
 170:   connections = ["${aws_glue_connection.glue_rds_sqlserver_db_connection.name}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf line 195:
 195:     "--glue_catalog_db_name"             = "${aws_glue_catalog_database.dms_dv_glue_catalog_db.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/register-my-data.tf line 148:
 148: data "archive_file" "em_ap_transfer_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource": "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource": "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 122:
 122:                 "Resource": "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 135:
 135:                     "Resource": "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-14T13:53:12Z	INFO	Need to update DB
2024-06-14T13:53:12Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-14T13:53:14Z	INFO	Vulnerability scanning is enabled
2024-06-14T13:53:14Z	INFO	Misconfiguration scanning is enabled
2024-06-14T13:53:14Z	INFO	Need to update the built-in policies
2024-06-14T13:53:14Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-14T13:53:14Z	INFO	Secret scanning is enabled
2024-06-14T13:53:14Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-14T13:53:14Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-14T13:53:16Z	INFO	Number of language-specific files	num=0
2024-06-14T13:53:16Z	INFO	Detected config files	num=27

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_iam.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:52
   via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  49   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  50     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  51   
  52 [   cidr_ipv4   = "0.0.0.0/0"
  53     ip_protocol = "tcp"
  54     from_port   = 0
  55     to_port     = 65535
  56     description = "Required ports open for Glue-RDS-Connection"
  57   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f109c88/main.tf (terraform)
=======================================================================================================
Tests: 8 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_iam.tf (terraform)
=======================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_iam.tf (terraform)
==========================
Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 30 (SUCCESSES: 12, FAILURES: 0, EXCEPTIONS: 18)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/landing_zone/main.tf:40-48
   via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  40resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
  41 │   bucket = aws_s3_bucket.landing_bucket.id
  4243 │   rule {
  44 │     apply_server_side_encryption_by_default {
  45 │       sse_algorithm = "AES256"
  46 │     }
  47 │   }
  48 └ }
────────────────────────────────────────



modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 28 (SUCCESSES: 24, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via register-my-data.tf:47-54 (module.ap_export_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via modules/landing_zone/main.tf:108-118 (module.log_bucket)
    via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via unzipped-s3-store.tf:1-7 (module.unzipped_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



parquet-to-csv.tf (terraform)
=============================
Tests: 15 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 2)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 parquet-to-csv.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "glue-jobs" {
   2 │   bucket_prefix = "glue-jobs-"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 parquet-to-csv.tf:25-33
────────────────────────────────────────
  25resource "aws_s3_bucket_server_side_encryption_configuration" "csv-output-bucket" {
  26 │   bucket = aws_s3_bucket.csv-output-bucket.id
  2728 │   rule {
  29 │     apply_server_side_encryption_by_default {
  30 │       sse_algorithm = "AES256"
  31 │     }
  32 │   }
  33 └ }
────────────────────────────────────────



register-my-data.tf (terraform)
===============================
Tests: 9 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 register-my-data.tf:92-100
────────────────────────────────────────
  92resource "aws_s3_bucket_server_side_encryption_configuration" "ap_export_bucket" {
  93 │   bucket = aws_s3_bucket.ap_export_bucket.id
  9495 │   rule {
  96 │     apply_server_side_encryption_by_default {
  97 │       sse_algorithm = "AES256"
  98 │     }
  99 │   }
 100 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 10 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 10)
Failures: 0 (HIGH: 0, CRITICAL: 0)


unzipped-s3-store.tf (terraform)
================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 unzipped-s3-store.tf:15-23
────────────────────────────────────────
  15resource "aws_s3_bucket_server_side_encryption_configuration" "unzipped_store" {
  16 │   bucket = aws_s3_bucket.unzipped_store.id
  1718 │   rule {
  19 │     apply_server_side_encryption_by_default {
  20 │       sse_algorithm = "AES256"
  21 │     }
  22 │   }
  23 └ }
────────────────────────────────────────


trivy_exitcode=1

@matt-heery matt-heery temporarily deployed to electronic-monitoring-data-development June 14, 2024 13:57 — with GitHub Actions Inactive
@matt-heery matt-heery had a problem deploying to electronic-monitoring-data-development June 14, 2024 14:16 — with GitHub Actions Failure
@matt-heery matt-heery had a problem deploying to electronic-monitoring-data-development June 14, 2024 14:31 — with GitHub Actions Failure
@matt-heery matt-heery had a problem deploying to electronic-monitoring-data-development June 14, 2024 14:50 — with GitHub Actions Error
@matt-heery matt-heery temporarily deployed to electronic-monitoring-data-development June 14, 2024 15:12 — with GitHub Actions Inactive
@matt-heery matt-heery had a problem deploying to electronic-monitoring-data-development June 14, 2024 15:22 — with GitHub Actions Failure
@matt-heery matt-heery temporarily deployed to electronic-monitoring-data-development June 14, 2024 15:28 — with GitHub Actions Inactive
@matt-heery matt-heery had a problem deploying to electronic-monitoring-data-development June 14, 2024 15:36 — with GitHub Actions Error
@matt-heery matt-heery temporarily deployed to electronic-monitoring-data-development June 14, 2024 15:54 — with GitHub Actions Inactive
@matt-heery matt-heery temporarily deployed to electronic-monitoring-data-development June 14, 2024 15:58 — with GitHub Actions Inactive
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@matt-heery Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@matt-heery Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

ASTRobinson
ASTRobinson previously approved these changes Jun 17, 2024
@matt-heery matt-heery temporarily deployed to electronic-monitoring-data-development June 17, 2024 09:46 — with GitHub Actions Inactive
@matt-heery matt-heery removed request for a team June 18, 2024 16:08
@matt-heery matt-heery had a problem deploying to electronic-monitoring-data-development June 19, 2024 09:47 — with GitHub Actions Error
@matt-heery matt-heery had a problem deploying to electronic-monitoring-data-development June 19, 2024 09:55 — with GitHub Actions Error
@luke-a-williams
Copy link
Contributor

Matt H has run us through all of the changes, it all seems reasonable. A couple of comments that can be fixed in other PRs after this is merged include:

  • Using templatefile within the terraform to isolate the step function JSON into their own files could significantly tidy this section up, but we might as well do it on all of them at once.
  • IAM permissions are set a * for I think it was Athena and Flue, but not S3. This appeared to be fine at the moment but should we consider limiting this scope at a later date?
  • There were some changes that weren't relevant to the PR, which Madhu or I have picked up in the review with him in person and Matt H is currently fixing.

@matt-heery matt-heery temporarily deployed to electronic-monitoring-data-development June 19, 2024 10:43 — with GitHub Actions Inactive
@matt-heery matt-heery temporarily deployed to electronic-monitoring-data-development June 19, 2024 12:37 — with GitHub Actions Inactive
Copy link
Contributor

@luke-a-williams luke-a-williams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a lot of changes, and in future we will be splitting this up into smaller bite sized chunks to merge a larger PR in later. We reviewed it as a team together but some of the changes appear to ned MOD platform approval. This review should be prioritised over mine.

@matt-heery matt-heery merged commit 2e1f8df into main Jun 19, 2024
11 of 12 checks passed
@matt-heery matt-heery deleted the edit-step-function-athena-validation branch June 19, 2024 12:50
@matt-heery matt-heery temporarily deployed to electronic-monitoring-data-development June 25, 2024 10:36 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file environments-repository Used to exclude PRs from this repo in our Slack PR update github-workflow
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants