Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DV_GlueJob_V3_Altered #6768

Merged
merged 9 commits into from
Jun 27, 2024
Merged

DV_GlueJob_V3_Altered #6768

merged 9 commits into from
Jun 27, 2024

Conversation

madhu-k-sr2
Copy link
Contributor

No description provided.

@madhu-k-sr2 madhu-k-sr2 requested review from a team as code owners June 27, 2024 10:53
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jun 27, 2024
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development June 27, 2024 10:55 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T10:55:55Z INFO Need to update DB
2024-06-27T10:55:55Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T10:55:57Z INFO Vulnerability scanning is enabled
2024-06-27T10:55:57Z INFO Misconfiguration scanning is enabled
2024-06-27T10:55:57Z INFO Need to update the built-in policies
2024-06-27T10:55:57Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T10:55:57Z INFO Secret scanning is enabled
2024-06-27T10:55:57Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T10:55:57Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T10:55:58Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-06-27T10:56:01Z INFO Number of language-specific files num=1
2024-06-27T10:56:01Z INFO [pip] Detecting vulnerabilities...
2024-06-27T10:56:01Z INFO Detected config files num=26

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:52
via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
49 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
50 security_group_id = aws_security_group.glue_rds_conn_security_group.id
51
52 [ cidr_ipv4 = "0.0.0.0/0"
53 ip_protocol = "tcp"
54 from_port = 0
55 to_port = 65535
56 description = "Required ports open for Glue-RDS-Connection"
57 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
140 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
141 │ #checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
142 │
143 │ bucket = aws_s3_bucket.default.id
144 │ rule {
145 │ apply_server_side_encryption_by_default {
146 │ sse_algorithm = var.sse_algorithm
147 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
148 └ }
...
────────────────────────────────────────

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/ecr/main.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/lambdas/main.tf (terraform)

Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/landing_zone/main.tf:40-48
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
41 │ bucket = aws_s3_bucket.landing_bucket.id
42 │
43 │ rule {
44 │ apply_server_side_encryption_by_default {
45 │ sse_algorithm = "AES256"
46 │ }
47 │ }
48 └ }
────────────────────────────────────────

modules/s3_log_bucket/main.tf (terraform)

Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via modules/landing_zone/main.tf:108-118 (module.log_bucket)
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-27 10:56:03,664 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-06-27 10:56:03,664 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1350, Failed checks: 96, Skipped checks: 8

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:83-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v3
	File: /dms_data_validation_glue_job.tf:140-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:201-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		201 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		202 |   name              = "catalog-dv-table-glue-job"
		203 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		204 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		205 |   glue_version      = "4.0"
		206 |   worker_type       = "G.1X"
		207 |   number_of_workers = 2
		208 |   default_arguments = {
		209 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		210 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		211 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		212 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		213 |     "--enable-continuous-cloudwatch-log" = "true"
		214 |     "--enable-continuous-log-filter"     = "true"
		215 |     "--enable-metrics"                   = ""
		216 |   }
		217 |   command {
		218 |     python_version  = "3"
		219 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		220 |   }
		221 | 
		222 |   tags = merge(
		223 |     local.tags,
		224 |     {
		225 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		226 |     }
		227 |   )
		228 | 
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:36-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		36 | resource "aws_security_group" "glue_rds_conn_security_group" {
		37 |   name        = "glue-rds-sqlserver-connection-tf"
		38 |   description = "Secuity Group for Glue-RDS-Connection"
		39 |   vpc_id      = data.aws_vpc.shared.id
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.data_store
	File: /data_store.tf:23-31

		23 | resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
		24 |   bucket = aws_s3_bucket.data_store.id
		25 | 
		26 |   rule {
		27 |     apply_server_side_encryption_by_default {
		28 |       sse_algorithm = "AES256"
		29 |     }
		30 |   }
		31 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.aws_s3_bucket_server_side_encryption_configuration.landing_bucket
	File: /modules/landing_zone/main.tf:40-48

		40 | resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
		41 |   bucket = aws_s3_bucket.landing_bucket.id
		42 | 
		43 |   rule {
		44 |     apply_server_side_encryption_by_default {
		45 |       sse_algorithm = "AES256"
		46 |     }
		47 |   }
		48 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
11 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 243:
 243: data "archive_file" "output_file_structure_as_json_from_zip" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 140:
 140:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 150:
 150:                 "Resource": "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 163:
 163:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T10:55:55Z	INFO	Need to update DB
2024-06-27T10:55:55Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T10:55:57Z	INFO	Vulnerability scanning is enabled
2024-06-27T10:55:57Z	INFO	Misconfiguration scanning is enabled
2024-06-27T10:55:57Z	INFO	Need to update the built-in policies
2024-06-27T10:55:57Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T10:55:57Z	INFO	Secret scanning is enabled
2024-06-27T10:55:57Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T10:55:57Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T10:55:58Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-06-27T10:56:01Z	INFO	Number of language-specific files	num=1
2024-06-27T10:56:01Z	INFO	[pip] Detecting vulnerabilities...
2024-06-27T10:56:01Z	INFO	Detected config files	num=26

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_iam.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:52
   via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  49   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  50     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  51   
  52 [   cidr_ipv4   = "0.0.0.0/0"
  53     ip_protocol = "tcp"
  54     from_port   = 0
  55     to_port     = 65535
  56     description = "Required ports open for Glue-RDS-Connection"
  57   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)
=======================================================================================================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
   via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
 140resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 141#checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
 142143 │   bucket = aws_s3_bucket.default.id
 144 │   rule {
 145 │     apply_server_side_encryption_by_default {
 146 │       sse_algorithm     = var.sse_algorithm
 147 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 148 └     }
 ...   
────────────────────────────────────────



glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/ecr/main.tf (terraform)
===============================
Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/lambdas/main.tf (terraform)
===================================
Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/landing_zone/main.tf:40-48
   via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
  41 │   bucket = aws_s3_bucket.landing_bucket.id
  4243 │   rule {
  44 │     apply_server_side_encryption_by_default {
  45 │       sse_algorithm = "AES256"
  46 │     }
  47 │   }
  48 └ }
────────────────────────────────────────



modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via modules/landing_zone/main.tf:108-118 (module.log_bucket)
    via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T11:15:28Z INFO Need to update DB
2024-06-27T11:15:28Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T11:15:30Z INFO Vulnerability scanning is enabled
2024-06-27T11:15:30Z INFO Misconfiguration scanning is enabled
2024-06-27T11:15:30Z INFO Need to update the built-in policies
2024-06-27T11:15:30Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T11:15:30Z INFO Secret scanning is enabled
2024-06-27T11:15:30Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:15:30Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:15:35Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-06-27T11:15:35Z INFO Number of language-specific files num=1
2024-06-27T11:15:35Z INFO [pip] Detecting vulnerabilities...
2024-06-27T11:15:35Z INFO Detected config files num=26

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:52
via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
49 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
50 security_group_id = aws_security_group.glue_rds_conn_security_group.id
51
52 [ cidr_ipv4 = "0.0.0.0/0"
53 ip_protocol = "tcp"
54 from_port = 0
55 to_port = 65535
56 description = "Required ports open for Glue-RDS-Connection"
57 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
140 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
141 │ #checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
142 │
143 │ bucket = aws_s3_bucket.default.id
144 │ rule {
145 │ apply_server_side_encryption_by_default {
146 │ sse_algorithm = var.sse_algorithm
147 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
148 └ }
...
────────────────────────────────────────

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/ecr/main.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/lambdas/main.tf (terraform)

Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/landing_zone/main.tf:40-48
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
41 │ bucket = aws_s3_bucket.landing_bucket.id
42 │
43 │ rule {
44 │ apply_server_side_encryption_by_default {
45 │ sse_algorithm = "AES256"
46 │ }
47 │ }
48 └ }
────────────────────────────────────────

modules/s3_log_bucket/main.tf (terraform)

Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via modules/landing_zone/main.tf:108-118 (module.log_bucket)
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-27 11:15:37,926 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-06-27 11:15:37,927 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1350, Failed checks: 96, Skipped checks: 8

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:83-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v3
	File: /dms_data_validation_glue_job.tf:140-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:201-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		201 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		202 |   name              = "catalog-dv-table-glue-job"
		203 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		204 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		205 |   glue_version      = "4.0"
		206 |   worker_type       = "G.1X"
		207 |   number_of_workers = 2
		208 |   default_arguments = {
		209 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		210 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		211 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		212 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		213 |     "--enable-continuous-cloudwatch-log" = "true"
		214 |     "--enable-continuous-log-filter"     = "true"
		215 |     "--enable-metrics"                   = ""
		216 |   }
		217 |   command {
		218 |     python_version  = "3"
		219 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		220 |   }
		221 | 
		222 |   tags = merge(
		223 |     local.tags,
		224 |     {
		225 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		226 |     }
		227 |   )
		228 | 
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:36-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		36 | resource "aws_security_group" "glue_rds_conn_security_group" {
		37 |   name        = "glue-rds-sqlserver-connection-tf"
		38 |   description = "Secuity Group for Glue-RDS-Connection"
		39 |   vpc_id      = data.aws_vpc.shared.id
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.data_store
	File: /data_store.tf:23-31

		23 | resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
		24 |   bucket = aws_s3_bucket.data_store.id
		25 | 
		26 |   rule {
		27 |     apply_server_side_encryption_by_default {
		28 |       sse_algorithm = "AES256"
		29 |     }
		30 |   }
		31 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.aws_s3_bucket_server_side_encryption_configuration.landing_bucket
	File: /modules/landing_zone/main.tf:40-48

		40 | resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
		41 |   bucket = aws_s3_bucket.landing_bucket.id
		42 | 
		43 |   rule {
		44 |     apply_server_side_encryption_by_default {
		45 |       sse_algorithm = "AES256"
		46 |     }
		47 |   }
		48 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
11 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 190:
 190: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 140:
 140:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 150:
 150:                 "Resource": "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 163:
 163:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T11:15:28Z	INFO	Need to update DB
2024-06-27T11:15:28Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T11:15:30Z	INFO	Vulnerability scanning is enabled
2024-06-27T11:15:30Z	INFO	Misconfiguration scanning is enabled
2024-06-27T11:15:30Z	INFO	Need to update the built-in policies
2024-06-27T11:15:30Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T11:15:30Z	INFO	Secret scanning is enabled
2024-06-27T11:15:30Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:15:30Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:15:35Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-06-27T11:15:35Z	INFO	Number of language-specific files	num=1
2024-06-27T11:15:35Z	INFO	[pip] Detecting vulnerabilities...
2024-06-27T11:15:35Z	INFO	Detected config files	num=26

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_iam.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:52
   via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  49   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  50     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  51   
  52 [   cidr_ipv4   = "0.0.0.0/0"
  53     ip_protocol = "tcp"
  54     from_port   = 0
  55     to_port     = 65535
  56     description = "Required ports open for Glue-RDS-Connection"
  57   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)
=======================================================================================================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
   via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
 140resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 141#checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
 142143 │   bucket = aws_s3_bucket.default.id
 144 │   rule {
 145 │     apply_server_side_encryption_by_default {
 146 │       sse_algorithm     = var.sse_algorithm
 147 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 148 └     }
 ...   
────────────────────────────────────────



glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/ecr/main.tf (terraform)
===============================
Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/lambdas/main.tf (terraform)
===================================
Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/landing_zone/main.tf:40-48
   via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
  41 │   bucket = aws_s3_bucket.landing_bucket.id
  4243 │   rule {
  44 │     apply_server_side_encryption_by_default {
  45 │       sse_algorithm = "AES256"
  46 │     }
  47 │   }
  48 └ }
────────────────────────────────────────



modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via modules/landing_zone/main.tf:108-118 (module.log_bucket)
    via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development June 27, 2024 11:22 — with GitHub Actions Inactive
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development June 27, 2024 11:31 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T11:32:31Z INFO Need to update DB
2024-06-27T11:32:31Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T11:32:33Z INFO Vulnerability scanning is enabled
2024-06-27T11:32:33Z INFO Misconfiguration scanning is enabled
2024-06-27T11:32:33Z INFO Need to update the built-in policies
2024-06-27T11:32:33Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T11:32:33Z INFO Secret scanning is enabled
2024-06-27T11:32:33Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:32:33Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:32:34Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-06-27T11:32:36Z INFO Number of language-specific files num=1
2024-06-27T11:32:36Z INFO [pip] Detecting vulnerabilities...
2024-06-27T11:32:36Z INFO Detected config files num=26

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:52
via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
49 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
50 security_group_id = aws_security_group.glue_rds_conn_security_group.id
51
52 [ cidr_ipv4 = "0.0.0.0/0"
53 ip_protocol = "tcp"
54 from_port = 0
55 to_port = 65535
56 description = "Required ports open for Glue-RDS-Connection"
57 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
140 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
141 │ #checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
142 │
143 │ bucket = aws_s3_bucket.default.id
144 │ rule {
145 │ apply_server_side_encryption_by_default {
146 │ sse_algorithm = var.sse_algorithm
147 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
148 └ }
...
────────────────────────────────────────

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/ecr/main.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/lambdas/main.tf (terraform)

Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/landing_zone/main.tf:40-48
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
41 │ bucket = aws_s3_bucket.landing_bucket.id
42 │
43 │ rule {
44 │ apply_server_side_encryption_by_default {
45 │ sse_algorithm = "AES256"
46 │ }
47 │ }
48 └ }
────────────────────────────────────────

modules/s3_log_bucket/main.tf (terraform)

Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via modules/landing_zone/main.tf:108-118 (module.log_bucket)
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-27 11:32:38,959 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-06-27 11:32:38,959 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1350, Failed checks: 96, Skipped checks: 8

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:83-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v3
	File: /dms_data_validation_glue_job.tf:140-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:201-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		201 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		202 |   name              = "catalog-dv-table-glue-job"
		203 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		204 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		205 |   glue_version      = "4.0"
		206 |   worker_type       = "G.1X"
		207 |   number_of_workers = 2
		208 |   default_arguments = {
		209 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		210 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		211 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		212 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		213 |     "--enable-continuous-cloudwatch-log" = "true"
		214 |     "--enable-continuous-log-filter"     = "true"
		215 |     "--enable-metrics"                   = ""
		216 |   }
		217 |   command {
		218 |     python_version  = "3"
		219 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		220 |   }
		221 | 
		222 |   tags = merge(
		223 |     local.tags,
		224 |     {
		225 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		226 |     }
		227 |   )
		228 | 
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:36-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		36 | resource "aws_security_group" "glue_rds_conn_security_group" {
		37 |   name        = "glue-rds-sqlserver-connection-tf"
		38 |   description = "Secuity Group for Glue-RDS-Connection"
		39 |   vpc_id      = data.aws_vpc.shared.id
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.data_store
	File: /data_store.tf:23-31

		23 | resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
		24 |   bucket = aws_s3_bucket.data_store.id
		25 | 
		26 |   rule {
		27 |     apply_server_side_encryption_by_default {
		28 |       sse_algorithm = "AES256"
		29 |     }
		30 |   }
		31 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.aws_s3_bucket_server_side_encryption_configuration.landing_bucket
	File: /modules/landing_zone/main.tf:40-48

		40 | resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
		41 |   bucket = aws_s3_bucket.landing_bucket.id
		42 | 
		43 |   rule {
		44 |     apply_server_side_encryption_by_default {
		45 |       sse_algorithm = "AES256"
		46 |     }
		47 |   }
		48 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
11 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 190:
 190: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 140:
 140:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 150:
 150:                 "Resource": "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 163:
 163:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T11:32:31Z	INFO	Need to update DB
2024-06-27T11:32:31Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T11:32:33Z	INFO	Vulnerability scanning is enabled
2024-06-27T11:32:33Z	INFO	Misconfiguration scanning is enabled
2024-06-27T11:32:33Z	INFO	Need to update the built-in policies
2024-06-27T11:32:33Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T11:32:33Z	INFO	Secret scanning is enabled
2024-06-27T11:32:33Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:32:33Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:32:34Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-06-27T11:32:36Z	INFO	Number of language-specific files	num=1
2024-06-27T11:32:36Z	INFO	[pip] Detecting vulnerabilities...
2024-06-27T11:32:36Z	INFO	Detected config files	num=26

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_iam.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:52
   via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  49   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  50     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  51   
  52 [   cidr_ipv4   = "0.0.0.0/0"
  53     ip_protocol = "tcp"
  54     from_port   = 0
  55     to_port     = 65535
  56     description = "Required ports open for Glue-RDS-Connection"
  57   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)
=======================================================================================================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
   via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
 140resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 141#checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
 142143 │   bucket = aws_s3_bucket.default.id
 144 │   rule {
 145 │     apply_server_side_encryption_by_default {
 146 │       sse_algorithm     = var.sse_algorithm
 147 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 148 └     }
 ...   
────────────────────────────────────────



glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/ecr/main.tf (terraform)
===============================
Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/lambdas/main.tf (terraform)
===================================
Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/landing_zone/main.tf:40-48
   via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
  41 │   bucket = aws_s3_bucket.landing_bucket.id
  4243 │   rule {
  44 │     apply_server_side_encryption_by_default {
  45 │       sse_algorithm = "AES256"
  46 │     }
  47 │   }
  48 └ }
────────────────────────────────────────



modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via modules/landing_zone/main.tf:108-118 (module.log_bucket)
    via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T11:50:17Z INFO Need to update DB
2024-06-27T11:50:17Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T11:50:19Z INFO Vulnerability scanning is enabled
2024-06-27T11:50:19Z INFO Misconfiguration scanning is enabled
2024-06-27T11:50:19Z INFO Need to update the built-in policies
2024-06-27T11:50:19Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T11:50:19Z INFO Secret scanning is enabled
2024-06-27T11:50:19Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:50:19Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:50:24Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-06-27T11:50:24Z INFO Number of language-specific files num=1
2024-06-27T11:50:24Z INFO [pip] Detecting vulnerabilities...
2024-06-27T11:50:24Z INFO Detected config files num=26

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:52
via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
49 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
50 security_group_id = aws_security_group.glue_rds_conn_security_group.id
51
52 [ cidr_ipv4 = "0.0.0.0/0"
53 ip_protocol = "tcp"
54 from_port = 0
55 to_port = 65535
56 description = "Required ports open for Glue-RDS-Connection"
57 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
140 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
141 │ #checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
142 │
143 │ bucket = aws_s3_bucket.default.id
144 │ rule {
145 │ apply_server_side_encryption_by_default {
146 │ sse_algorithm = var.sse_algorithm
147 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
148 └ }
...
────────────────────────────────────────

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/ecr/main.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/lambdas/main.tf (terraform)

Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/landing_zone/main.tf:40-48
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
41 │ bucket = aws_s3_bucket.landing_bucket.id
42 │
43 │ rule {
44 │ apply_server_side_encryption_by_default {
45 │ sse_algorithm = "AES256"
46 │ }
47 │ }
48 └ }
────────────────────────────────────────

modules/s3_log_bucket/main.tf (terraform)

Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via modules/landing_zone/main.tf:108-118 (module.log_bucket)
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-27 11:50:26,873 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-06-27 11:50:26,873 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1350, Failed checks: 96, Skipped checks: 8

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:83-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v3
	File: /dms_data_validation_glue_job.tf:140-201
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:203-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		203 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		204 |   name              = "catalog-dv-table-glue-job"
		205 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		206 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		207 |   glue_version      = "4.0"
		208 |   worker_type       = "G.1X"
		209 |   number_of_workers = 2
		210 |   default_arguments = {
		211 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		212 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		213 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		214 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		215 |     "--enable-continuous-cloudwatch-log" = "true"
		216 |     "--enable-continuous-log-filter"     = "true"
		217 |     "--enable-metrics"                   = ""
		218 |   }
		219 |   command {
		220 |     python_version  = "3"
		221 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		222 |   }
		223 | 
		224 |   tags = merge(
		225 |     local.tags,
		226 |     {
		227 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		228 |     }
		229 |   )
		230 | 
		231 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:36-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		36 | resource "aws_security_group" "glue_rds_conn_security_group" {
		37 |   name        = "glue-rds-sqlserver-connection-tf"
		38 |   description = "Secuity Group for Glue-RDS-Connection"
		39 |   vpc_id      = data.aws_vpc.shared.id
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.data_store
	File: /data_store.tf:23-31

		23 | resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
		24 |   bucket = aws_s3_bucket.data_store.id
		25 | 
		26 |   rule {
		27 |     apply_server_side_encryption_by_default {
		28 |       sse_algorithm = "AES256"
		29 |     }
		30 |   }
		31 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.aws_s3_bucket_server_side_encryption_configuration.landing_bucket
	File: /modules/landing_zone/main.tf:40-48

		40 | resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
		41 |   bucket = aws_s3_bucket.landing_bucket.id
		42 | 
		43 |   rule {
		44 |     apply_server_side_encryption_by_default {
		45 |       sse_algorithm = "AES256"
		46 |     }
		47 |   }
		48 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
11 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 243:
 243: data "archive_file" "output_file_structure_as_json_from_zip" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 140:
 140:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 150:
 150:                 "Resource": "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 163:
 163:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T11:50:17Z	INFO	Need to update DB
2024-06-27T11:50:17Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T11:50:19Z	INFO	Vulnerability scanning is enabled
2024-06-27T11:50:19Z	INFO	Misconfiguration scanning is enabled
2024-06-27T11:50:19Z	INFO	Need to update the built-in policies
2024-06-27T11:50:19Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T11:50:19Z	INFO	Secret scanning is enabled
2024-06-27T11:50:19Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:50:19Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:50:24Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-06-27T11:50:24Z	INFO	Number of language-specific files	num=1
2024-06-27T11:50:24Z	INFO	[pip] Detecting vulnerabilities...
2024-06-27T11:50:24Z	INFO	Detected config files	num=26

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_iam.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:52
   via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  49   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  50     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  51   
  52 [   cidr_ipv4   = "0.0.0.0/0"
  53     ip_protocol = "tcp"
  54     from_port   = 0
  55     to_port     = 65535
  56     description = "Required ports open for Glue-RDS-Connection"
  57   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)
=======================================================================================================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
   via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
 140resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 141#checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
 142143 │   bucket = aws_s3_bucket.default.id
 144 │   rule {
 145 │     apply_server_side_encryption_by_default {
 146 │       sse_algorithm     = var.sse_algorithm
 147 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 148 └     }
 ...   
────────────────────────────────────────



glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/ecr/main.tf (terraform)
===============================
Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/lambdas/main.tf (terraform)
===================================
Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/landing_zone/main.tf:40-48
   via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
  41 │   bucket = aws_s3_bucket.landing_bucket.id
  4243 │   rule {
  44 │     apply_server_side_encryption_by_default {
  45 │       sse_algorithm = "AES256"
  46 │     }
  47 │   }
  48 └ }
────────────────────────────────────────



modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via modules/landing_zone/main.tf:108-118 (module.log_bucket)
    via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development June 27, 2024 11:54 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T12:13:12Z INFO Need to update DB
2024-06-27T12:13:12Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T12:13:14Z INFO Vulnerability scanning is enabled
2024-06-27T12:13:14Z INFO Misconfiguration scanning is enabled
2024-06-27T12:13:14Z INFO Need to update the built-in policies
2024-06-27T12:13:14Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T12:13:14Z INFO Secret scanning is enabled
2024-06-27T12:13:14Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T12:13:14Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T12:13:15Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-06-27T12:13:18Z INFO Number of language-specific files num=1
2024-06-27T12:13:18Z INFO [pip] Detecting vulnerabilities...
2024-06-27T12:13:18Z INFO Detected config files num=26

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:52
via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
49 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
50 security_group_id = aws_security_group.glue_rds_conn_security_group.id
51
52 [ cidr_ipv4 = "0.0.0.0/0"
53 ip_protocol = "tcp"
54 from_port = 0
55 to_port = 65535
56 description = "Required ports open for Glue-RDS-Connection"
57 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
140 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
141 │ #checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
142 │
143 │ bucket = aws_s3_bucket.default.id
144 │ rule {
145 │ apply_server_side_encryption_by_default {
146 │ sse_algorithm = var.sse_algorithm
147 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
148 └ }
...
────────────────────────────────────────

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/ecr/main.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/lambdas/main.tf (terraform)

Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/landing_zone/main.tf:40-48
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
41 │ bucket = aws_s3_bucket.landing_bucket.id
42 │
43 │ rule {
44 │ apply_server_side_encryption_by_default {
45 │ sse_algorithm = "AES256"
46 │ }
47 │ }
48 └ }
────────────────────────────────────────

modules/s3_log_bucket/main.tf (terraform)

Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via modules/landing_zone/main.tf:108-118 (module.log_bucket)
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-27 12:13:21,192 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-06-27 12:13:21,192 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1350, Failed checks: 96, Skipped checks: 8

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:83-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v3
	File: /dms_data_validation_glue_job.tf:140-201
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:203-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		203 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		204 |   name              = "catalog-dv-table-glue-job"
		205 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		206 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		207 |   glue_version      = "4.0"
		208 |   worker_type       = "G.1X"
		209 |   number_of_workers = 2
		210 |   default_arguments = {
		211 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		212 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		213 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		214 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		215 |     "--enable-continuous-cloudwatch-log" = "true"
		216 |     "--enable-continuous-log-filter"     = "true"
		217 |     "--enable-metrics"                   = ""
		218 |   }
		219 |   command {
		220 |     python_version  = "3"
		221 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		222 |   }
		223 | 
		224 |   tags = merge(
		225 |     local.tags,
		226 |     {
		227 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		228 |     }
		229 |   )
		230 | 
		231 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:36-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		36 | resource "aws_security_group" "glue_rds_conn_security_group" {
		37 |   name        = "glue-rds-sqlserver-connection-tf"
		38 |   description = "Secuity Group for Glue-RDS-Connection"
		39 |   vpc_id      = data.aws_vpc.shared.id
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.data_store
	File: /data_store.tf:23-31

		23 | resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
		24 |   bucket = aws_s3_bucket.data_store.id
		25 | 
		26 |   rule {
		27 |     apply_server_side_encryption_by_default {
		28 |       sse_algorithm = "AES256"
		29 |     }
		30 |   }
		31 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.aws_s3_bucket_server_side_encryption_configuration.landing_bucket
	File: /modules/landing_zone/main.tf:40-48

		40 | resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
		41 |   bucket = aws_s3_bucket.landing_bucket.id
		42 | 
		43 |   rule {
		44 |     apply_server_side_encryption_by_default {
		45 |       sse_algorithm = "AES256"
		46 |     }
		47 |   }
		48 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
11 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 243:
 243: data "archive_file" "output_file_structure_as_json_from_zip" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 140:
 140:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 150:
 150:                 "Resource": "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 163:
 163:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T12:13:12Z	INFO	Need to update DB
2024-06-27T12:13:12Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T12:13:14Z	INFO	Vulnerability scanning is enabled
2024-06-27T12:13:14Z	INFO	Misconfiguration scanning is enabled
2024-06-27T12:13:14Z	INFO	Need to update the built-in policies
2024-06-27T12:13:14Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T12:13:14Z	INFO	Secret scanning is enabled
2024-06-27T12:13:14Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T12:13:14Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T12:13:15Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-06-27T12:13:18Z	INFO	Number of language-specific files	num=1
2024-06-27T12:13:18Z	INFO	[pip] Detecting vulnerabilities...
2024-06-27T12:13:18Z	INFO	Detected config files	num=26

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_iam.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:52
   via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  49   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  50     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  51   
  52 [   cidr_ipv4   = "0.0.0.0/0"
  53     ip_protocol = "tcp"
  54     from_port   = 0
  55     to_port     = 65535
  56     description = "Required ports open for Glue-RDS-Connection"
  57   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)
=======================================================================================================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
   via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
 140resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 141#checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
 142143 │   bucket = aws_s3_bucket.default.id
 144 │   rule {
 145 │     apply_server_side_encryption_by_default {
 146 │       sse_algorithm     = var.sse_algorithm
 147 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 148 └     }
 ...   
────────────────────────────────────────



glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/ecr/main.tf (terraform)
===============================
Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/lambdas/main.tf (terraform)
===================================
Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/landing_zone/main.tf:40-48
   via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
  41 │   bucket = aws_s3_bucket.landing_bucket.id
  4243 │   rule {
  44 │     apply_server_side_encryption_by_default {
  45 │       sse_algorithm = "AES256"
  46 │     }
  47 │   }
  48 └ }
────────────────────────────────────────



modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via modules/landing_zone/main.tf:108-118 (module.log_bucket)
    via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development June 27, 2024 12:40 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/analytical-platform-compute
2024-06-27T14:25:13Z INFO Need to update DB
2024-06-27T14:25:13Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T14:25:15Z INFO Vulnerability scanning is enabled
2024-06-27T14:25:15Z INFO Misconfiguration scanning is enabled
2024-06-27T14:25:15Z INFO Need to update the built-in policies
2024-06-27T14:25:15Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T14:25:15Z INFO Secret scanning is enabled
2024-06-27T14:25:15Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T14:25:15Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T14:25:35Z INFO Number of language-specific files num=0
2024-06-27T14:25:35Z INFO Detected config files num=18

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=73b752a1e365808a7214f064845e958e65c548bd/main.tf (terraform)

Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=73b752a1e365808a7214f064845e958e65c548bd/modules/karpenter/main.tf (terraform)

Tests: 8 (SUCCESSES: 3, FAILURES: 0, EXCEPTIONS: 5)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

Tests: 25 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 25)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam-policies.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T14:25:36Z INFO Vulnerability scanning is enabled
2024-06-27T14:25:36Z INFO Misconfiguration scanning is enabled
2024-06-27T14:25:36Z INFO Secret scanning is enabled
2024-06-27T14:25:36Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T14:25:36Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T14:25:39Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-06-27T14:25:39Z INFO Number of language-specific files num=1
2024-06-27T14:25:39Z INFO [pip] Detecting vulnerabilities...
2024-06-27T14:25:39Z INFO Detected config files num=26

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:52
via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
49 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
50 security_group_id = aws_security_group.glue_rds_conn_security_group.id
51
52 [ cidr_ipv4 = "0.0.0.0/0"
53 ip_protocol = "tcp"
54 from_port = 0
55 to_port = 65535
56 description = "Required ports open for Glue-RDS-Connection"
57 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)

Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
140 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
141 │ #checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
142 │
143 │ bucket = aws_s3_bucket.default.id
144 │ rule {
145 │ apply_server_side_encryption_by_default {
146 │ sse_algorithm = var.sse_algorithm
147 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
148 └ }
...
────────────────────────────────────────

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/ecr/main.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/lambdas/main.tf (terraform)

Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/landing_zone/main.tf:40-48
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
41 │ bucket = aws_s3_bucket.landing_bucket.id
42 │
43 │ rule {
44 │ apply_server_side_encryption_by_default {
45 │ sse_algorithm = "AES256"
46 │ }
47 │ }
48 └ }
────────────────────────────────────────

modules/s3_log_bucket/main.tf (terraform)

Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via modules/landing_zone/main.tf:108-118 (module.log_bucket)
via main.tf:56-91 (module.g4s)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-27 14:25:42,141 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.2.1 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,141 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,141 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,141 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,141 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.14.0 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,141 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.14.0 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,142 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.7.0 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,142 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.1.2 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,142 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,142 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,142 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,142 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,143 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.4.0 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,143 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.3.1 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,143 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,143 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:42,143 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.1.2 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 83, Failed checks: 0, Skipped checks: 88


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-27 14:25:45,522 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-06-27 14:25:45,522 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1350, Failed checks: 96, Skipped checks: 8

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:76-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		76 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		77 |   name              = "dms-dv-glue-job"
		78 |   retention_in_days = 14
		79 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:83-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v3
	File: /dms_data_validation_glue_job.tf:140-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:201-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		201 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		202 |   name              = "catalog-dv-table-glue-job"
		203 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		204 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		205 |   glue_version      = "4.0"
		206 |   worker_type       = "G.1X"
		207 |   number_of_workers = 2
		208 |   default_arguments = {
		209 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		210 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		211 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		212 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		213 |     "--enable-continuous-cloudwatch-log" = "true"
		214 |     "--enable-continuous-log-filter"     = "true"
		215 |     "--enable-metrics"                   = ""
		216 |   }
		217 |   command {
		218 |     python_version  = "3"
		219 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		220 |   }
		221 | 
		222 |   tags = merge(
		223 |     local.tags,
		224 |     {
		225 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		226 |     }
		227 |   )
		228 | 
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:59-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		59 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		60 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		61 | 
		62 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		63 |   ip_protocol                  = "tcp"
		64 |   from_port                    = 0
		65 |   to_port                      = 65535
		66 |   description                  = "Required ports open for Glue-RDS-Connection"
		67 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:36-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		36 | resource "aws_security_group" "glue_rds_conn_security_group" {
		37 |   name        = "glue-rds-sqlserver-connection-tf"
		38 |   description = "Secuity Group for Glue-RDS-Connection"
		39 |   vpc_id      = data.aws_vpc.shared.id
		40 | 
		41 |   tags = merge(
		42 |     local.tags,
		43 |     {
		44 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		45 |     }
		46 |   )
		47 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.data_store
	File: /data_store.tf:23-31

		23 | resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
		24 |   bucket = aws_s3_bucket.data_store.id
		25 | 
		26 |   rule {
		27 |     apply_server_side_encryption_by_default {
		28 |       sse_algorithm = "AES256"
		29 |     }
		30 |   }
		31 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: aws_s3_bucket_server_side_encryption_configuration.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
		21 |   bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.aws_s3_bucket_server_side_encryption_configuration.landing_bucket
	File: /modules/landing_zone/main.tf:40-48

		40 | resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
		41 |   bucket = aws_s3_bucket.landing_bucket.id
		42 | 
		43 |   rule {
		44 |     apply_server_side_encryption_by_default {
		45 |       sse_algorithm = "AES256"
		46 |     }
		47 |   }
		48 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

Check: CKV2_AWS_67: "Ensure AWS S3 bucket is encrypted with a Customer Managed Key (CMK) and the key has regular rotation"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket_server_side_encryption_configuration.this
	File: /modules/s3_log_bucket/main.tf:20-28

		20 | resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
		21 |   bucket = aws_s3_bucket.this.id
		22 | 
		23 |   rule {
		24 |     apply_server_side_encryption_by_default {
		25 |       sse_algorithm = "AES256"
		26 |     }
		27 |   }
		28 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/analytical-platform-compute terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
11 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 190:
 190: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 140:
 140:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 150:
 150:                 "Resource": "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 163:
 163:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2024-06-27T14:25:13Z	INFO	Need to update DB
2024-06-27T14:25:13Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T14:25:15Z	INFO	Vulnerability scanning is enabled
2024-06-27T14:25:15Z	INFO	Misconfiguration scanning is enabled
2024-06-27T14:25:15Z	INFO	Need to update the built-in policies
2024-06-27T14:25:15Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T14:25:15Z	INFO	Secret scanning is enabled
2024-06-27T14:25:15Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T14:25:15Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T14:25:35Z	INFO	Number of language-specific files	num=0
2024-06-27T14:25:35Z	INFO	Detected config files	num=18

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=73b752a1e365808a7214f064845e958e65c548bd/main.tf (terraform)
===============================================================================================================================
Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=73b752a1e365808a7214f064845e958e65c548bd/modules/karpenter/main.tf (terraform)
=================================================================================================================================================
Tests: 8 (SUCCESSES: 3, FAILURES: 0, EXCEPTIONS: 5)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)
=============================================================================================================================================================================
Tests: 25 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 25)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam-policies.tf (terraform)
===========================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-06-27T14:25:36Z	INFO	Vulnerability scanning is enabled
2024-06-27T14:25:36Z	INFO	Misconfiguration scanning is enabled
2024-06-27T14:25:36Z	INFO	Secret scanning is enabled
2024-06-27T14:25:36Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T14:25:36Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T14:25:39Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-06-27T14:25:39Z	INFO	Number of language-specific files	num=1
2024-06-27T14:25:39Z	INFO	[pip] Detecting vulnerabilities...
2024-06-27T14:25:39Z	INFO	Detected config files	num=26

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_iam.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:52
   via dms_security_groups.tf:49-57 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  49   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  50     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  51   
  52 [   cidr_ipv4   = "0.0.0.0/0"
  53     ip_protocol = "tcp"
  54     from_port   = 0
  55     to_port     = 65535
  56     description = "Required ports open for Glue-RDS-Connection"
  57   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 14 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf (terraform)
=======================================================================================================
Tests: 19 (SUCCESSES: 18, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51/main.tf:140-150
   via s3_main.tf:87-151 (module.athena-s3-bucket)
────────────────────────────────────────
 140resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 141#checkov:skip=CKV2_AWS_67: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation"
 142143 │   bucket = aws_s3_bucket.default.id
 144 │   rule {
 145 │     apply_server_side_encryption_by_default {
 146 │       sse_algorithm     = var.sse_algorithm
 147 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 148 └     }
 ...   
────────────────────────────────────────



glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 9 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 9)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/ecr/main.tf (terraform)
===============================
Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/lambdas/main.tf (terraform)
===================================
Tests: 40 (SUCCESSES: 16, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/landing_zone/main.tf:40-48
   via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
  41 │   bucket = aws_s3_bucket.landing_bucket.id
  4243 │   rule {
  44 │     apply_server_side_encryption_by_default {
  45 │       sse_algorithm = "AES256"
  46 │     }
  47 │   }
  48 └ }
────────────────────────────────────────



modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 20 (SUCCESSES: 18, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via modules/landing_zone/main.tf:108-118 (module.log_bucket)
    via main.tf:56-91 (module.g4s)
────────────────────────────────────────
  20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

matt-heery
matt-heery approved these changes Jun 27, 2024
View reviewed changes
Copy link
Contributor

@matt-heery matt-heery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@madhu-k-sr2 madhu-k-sr2 merged commit aa1351f into main Jun 27, 2024
9 of 12 checks passed
@madhu-k-sr2 madhu-k-sr2 deleted the ELM_2041_DV_V3_GlueJob_to_handle_bigdata_v4 branch June 27, 2024 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matt-heery matt-heery matt-heery approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@madhu-k-sr2 @matt-heery