Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update_080724 #6987

Merged
merged 1 commit into from
Jul 8, 2024
Merged

Update_080724 #6987

merged 1 commit into from
Jul 8, 2024

Conversation

nbuckingham72
Copy link
Collaborator

Update to EventBridge rules for re-enabling CPU alarm supression.

@nbuckingham72 nbuckingham72 requested review from a team as code owners July 8, 2024 09:53
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jul 8, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 8, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ppud

Running Trivy in terraform/environments/ppud
2024-07-08T09:55:40Z INFO Need to update DB
2024-07-08T09:55:40Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-08T09:55:42Z INFO Vulnerability scanning is enabled
2024-07-08T09:55:42Z INFO Misconfiguration scanning is enabled
2024-07-08T09:55:42Z INFO Need to update the built-in policies
2024-07-08T09:55:42Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-08T09:55:42Z INFO Secret scanning is enabled
2024-07-08T09:55:42Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-08T09:55:42Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-08T09:55:43Z INFO Number of language-specific files num=0
2024-07-08T09:55:43Z INFO Detected config files num=8

alb_external.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb_external.tf:81
via alb_external.tf:79-92 (aws_lb.WAM-ALB)
────────────────────────────────────────
79 resource "aws_lb" "WAM-ALB" {
..
81 [ internal = false
..
92 }
────────────────────────────────────────

iam.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

s3.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:105-113
────────────────────────────────────────
105 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" {
106 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3
107 │ tags = merge(
108 │ local.tags,
109 │ {
110 │ Name = "${local.application_name}-moj-health-check-reports"
111 │ }
112 │ )
113 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:105-113
────────────────────────────────────────
105 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" {
106 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3
107 │ tags = merge(
108 │ local.tags,
109 │ {
110 │ Name = "${local.application_name}-moj-health-check-reports"
111 │ }
112 │ )
113 └ }
────────────────────────────────────────

security_group.tf (terraform)

Tests: 39 (SUCCESSES: 25, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 0, CRITICAL: 14)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:52
via security_group.tf:47-54 (aws_security_group_rule.PPUD-WEB-Portal-egress-1)
────────────────────────────────────────
47 resource "aws_security_group_rule" "PPUD-WEB-Portal-egress-1" {
48 type = "egress"
49 from_port = 443
50 to_port = 443
51 protocol = "tcp"
52 [ cidr_blocks = ["0.0.0.0/0"]
53 security_group_id = aws_security_group.PPUD-WEB-Portal.id
54 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:61
via security_group.tf:56-63 (aws_security_group_rule.PPUD-WEB-Portal-egress-2)
────────────────────────────────────────
56 resource "aws_security_group_rule" "PPUD-WEB-Portal-egress-2" {
57 type = "egress"
58 from_port = 80
59 to_port = 80
60 protocol = "tcp"
61 [ cidr_blocks = ["0.0.0.0/0"]
62 security_group_id = aws_security_group.PPUD-WEB-Portal.id
63 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:434
via security_group.tf:428-436 (aws_security_group_rule.Primary-DOC-Server-Egress-1[0])
────────────────────────────────────────
428 resource "aws_security_group_rule" "Primary-DOC-Server-Egress-1" {
429 count = local.is-preproduction == false ? 1 : 0
430 type = "egress"
431 from_port = 443
432 to_port = 443
433 protocol = "tcp"
434 [ cidr_blocks = ["0.0.0.0/0"]
435 security_group_id = aws_security_group.Primary-DOC-Server[0].id
436 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:444
via security_group.tf:438-446 (aws_security_group_rule.Primary-DOC-Server-Egress-2[0])
────────────────────────────────────────
438 resource "aws_security_group_rule" "Primary-DOC-Server-Egress-2" {
439 count = local.is-preproduction == false ? 1 : 0
440 type = "egress"
441 from_port = 80
442 to_port = 80
443 protocol = "tcp"
444 [ cidr_blocks = ["0.0.0.0/0"]
445 security_group_id = aws_security_group.Primary-DOC-Server[0].id
446 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:506
via security_group.tf:500-508 (aws_security_group_rule.Secondary-DOC-Server-Egress-1[0])
────────────────────────────────────────
500 resource "aws_security_group_rule" "Secondary-DOC-Server-Egress-1" {
501 count = local.is-preproduction == false ? 1 : 0
502 type = "egress"
503 from_port = 443
504 to_port = 443
505 protocol = "tcp"
506 [ cidr_blocks = ["0.0.0.0/0"]
507 security_group_id = aws_security_group.Secondary-DOC-Server[0].id
508 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:516
via security_group.tf:510-518 (aws_security_group_rule.Secondary-DOC-Server-Egress-2[0])
────────────────────────────────────────
510 resource "aws_security_group_rule" "Secondary-DOC-Server-Egress-2" {
511 count = local.is-preproduction == false ? 1 : 0
512 type = "egress"
513 from_port = 80
514 to_port = 80
515 protocol = "tcp"
516 [ cidr_blocks = ["0.0.0.0/0"]
517 security_group_id = aws_security_group.Secondary-DOC-Server[0].id
518 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:700
via security_group.tf:694-702 (aws_security_group_rule.UAT-Bridge-Server-Egress-1[0])
────────────────────────────────────────
694 resource "aws_security_group_rule" "UAT-Bridge-Server-Egress-1" {
695 count = local.is-development == false ? 1 : 0
696 type = "egress"
697 from_port = 443
698 to_port = 443
699 protocol = "tcp"
700 [ cidr_blocks = ["0.0.0.0/0"]
701 security_group_id = aws_security_group.Bridge-Server[0].id
702 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:710
via security_group.tf:704-712 (aws_security_group_rule.UAT-Bridge-Server-Egress-2[0])
────────────────────────────────────────
704 resource "aws_security_group_rule" "UAT-Bridge-Server-Egress-2" {
705 count = local.is-development == false ? 1 : 0
706 type = "egress"
707 from_port = 80
708 to_port = 80
709 protocol = "tcp"
710 [ cidr_blocks = ["0.0.0.0/0"]
711 security_group_id = aws_security_group.Bridge-Server[0].id
712 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:163
via security_group.tf:158-165 (aws_security_group_rule.WAM-Data-Access-Server-Egress-1)
────────────────────────────────────────
158 resource "aws_security_group_rule" "WAM-Data-Access-Server-Egress-1" {
159 type = "egress"
160 from_port = 443
161 to_port = 443
162 protocol = "tcp"
163 [ cidr_blocks = ["0.0.0.0/0"]
164 security_group_id = aws_security_group.WAM-Data-Access-Server.id
165 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:172
via security_group.tf:167-174 (aws_security_group_rule.WAM-Data-Access-Server-Egress-2)
────────────────────────────────────────
167 resource "aws_security_group_rule" "WAM-Data-Access-Server-Egress-2" {
168 type = "egress"
169 from_port = 80
170 to_port = 80
171 protocol = "tcp"
172 [ cidr_blocks = ["0.0.0.0/0"]
173 security_group_id = aws_security_group.WAM-Data-Access-Server.id
174 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:107
via security_group.tf:102-109 (aws_security_group_rule.WAM-Portal-egress-1)
────────────────────────────────────────
102 resource "aws_security_group_rule" "WAM-Portal-egress-1" {
103 type = "egress"
104 from_port = 443
105 to_port = 443
106 protocol = "tcp"
107 [ cidr_blocks = ["0.0.0.0/0"]
108 security_group_id = aws_security_group.WAM-Portal.id
109 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
security_group.tf:116
via security_group.tf:111-118 (aws_security_group_rule.WAM-Portal-egress-2)
────────────────────────────────────────
111 resource "aws_security_group_rule" "WAM-Portal-egress-2" {
112 type = "egress"
113 from_port = 80
114 to_port = 80
115 protocol = "tcp"
116 [ cidr_blocks = ["0.0.0.0/0"]
117 security_group_id = aws_security_group.WAM-Portal.id
118 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
security_group.tf:596
via security_group.tf:591-598 (aws_security_group_rule.PPUD-ALB-Ingress)
────────────────────────────────────────
591 resource "aws_security_group_rule" "PPUD-ALB-Ingress" {
592 type = "ingress"
593 from_port = 443
594 to_port = 443
595 protocol = "tcp"
596 [ cidr_blocks = ["0.0.0.0/0"]
597 security_group_id = aws_security_group.PPUD-ALB.id
598 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
security_group.tf:633
via security_group.tf:628-635 (aws_security_group_rule.WAM-ALB-Ingress)
────────────────────────────────────────
628 resource "aws_security_group_rule" "WAM-ALB-Ingress" {
629 type = "ingress"
630 from_port = 443
631 to_port = 443
632 protocol = "tcp"
633 [ cidr_blocks = ["0.0.0.0/0"]
634 security_group_id = aws_security_group.WAM-ALB.id
635 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ppud

*****************************

Running Checkov in terraform/environments/ppud
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-08 09:55:46,252 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 669, Failed checks: 240, Skipped checks: 6

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.PPUD-ALB
	File: /alb_external.tf:4-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		4  | resource "aws_lb" "PPUD-ALB" {
		5  |   count              = local.is-development == true ? 1 : 0
		6  |   name               = "PPUD-ALB"
		7  |   internal           = false
		8  |   load_balancer_type = "application"
		9  |   security_groups    = [aws_security_group.PPUD-ALB.id]
		10 |   subnets            = [data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		11 | 
		12 |   enable_deletion_protection = true
		13 |   drop_invalid_header_fields = true
		14 | 
		15 |   tags = {
		16 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		17 |   }
		18 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.WAM-ALB
	File: /alb_external.tf:79-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		79 | resource "aws_lb" "WAM-ALB" {
		80 |   name               = local.application_data.accounts[local.environment].WAM_ALB
		81 |   internal           = false
		82 |   load_balancer_type = "application"
		83 |   security_groups    = [aws_security_group.WAM-ALB.id]
		84 |   subnets            = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id]
		85 | 
		86 |   enable_deletion_protection = true
		87 |   drop_invalid_header_fields = true
		88 | 
		89 |   tags = {
		90 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		91 |   }
		92 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.PPUD-internal-ALB
	File: /alb_internal.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		5  | resource "aws_lb" "PPUD-internal-ALB" {
		6  |   count              = local.is-development == false ? 1 : 0
		7  |   name               = local.application_data.accounts[local.environment].PPUD_Internal_ALB
		8  |   internal           = true
		9  |   idle_timeout       = 240
		10 |   load_balancer_type = "application"
		11 |   security_groups    = [aws_security_group.PPUD-ALB.id]
		12 |   subnets            = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id]
		13 | 
		14 |   enable_deletion_protection = true
		15 |   drop_invalid_header_fields = true
		16 | 
		17 |   tags = {
		18 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		19 |   }
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.Linux-Services-Logs
	File: /cloudwatch_linux.tf:169-173
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		169 | resource "aws_cloudwatch_log_group" "Linux-Services-Logs" {
		170 |   count             = local.is-production == true ? 1 : 0
		171 |   name              = "Linux-Services-Logs"
		172 |   retention_in_days = 365
		173 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.IIS-Logs
	File: /cloudwatch_windows.tf:166-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		166 | resource "aws_cloudwatch_log_group" "IIS-Logs" {
		167 |   count             = local.is-production == true ? 1 : 0
		168 |   name              = "IIS-Logs"
		169 |   retention_in_days = 365
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.System-Event-Logs
	File: /cloudwatch_windows.tf:172-176
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		172 | resource "aws_cloudwatch_log_group" "System-Event-Logs" {
		173 |   count             = local.is-production == true ? 1 : 0
		174 |   name              = "System-Event-Logs"
		175 |   retention_in_days = 365
		176 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.Application-Event-Logs
	File: /cloudwatch_windows.tf:178-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		178 | resource "aws_cloudwatch_log_group" "Application-Event-Logs" {
		179 |   count             = local.is-production == true ? 1 : 0
		180 |   name              = "Application-Event-Logs"
		181 |   retention_in_days = 365
		182 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.Windows-Services-Logs
	File: /cloudwatch_windows.tf:184-188
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		184 | resource "aws_cloudwatch_log_group" "Windows-Services-Logs" {
		185 |   count             = local.is-production == true ? 1 : 0
		186 |   name              = "Windows-Services-Logs"
		187 |   retention_in_days = 365
		188 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.Network-Connectivity-Logs
	File: /cloudwatch_windows.tf:190-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		190 | resource "aws_cloudwatch_log_group" "Network-Connectivity-Logs" {
		191 |   count             = local.is-production == true ? 1 : 0
		192 |   name              = "Network-Connectivity-Logs"
		193 |   retention_in_days = 365
		194 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.SQL-Server-Logs
	File: /cloudwatch_windows.tf:196-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		196 | resource "aws_cloudwatch_log_group" "SQL-Server-Logs" {
		197 |   count             = local.is-production == true ? 1 : 0
		198 |   name              = "SQL-Server-Logs"
		199 |   retention_in_days = 365
		200 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.Windows-Defender-Logs
	File: /cloudwatch_windows.tf:202-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		202 | resource "aws_cloudwatch_log_group" "Windows-Defender-Logs" {
		203 |   count             = local.is-production == true ? 1 : 0
		204 |   name              = "Windows-Defender-Logs"
		205 |   retention_in_days = 365
		206 | }

Check: CKV_AWS_123: "Ensure that VPC Endpoint Service is configured for Manual Acceptance"
	FAILED for resource: aws_vpc_endpoint_service.HomeOffice
	File: /endpointservice.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-vpc-endpoint-service-is-configured-for-manual-acceptance

		1 | resource "aws_vpc_endpoint_service" "HomeOffice" {
		2 |   count                      = local.is-production == true ? 1 : 0
		3 |   acceptance_required        = false
		4 |   network_load_balancer_arns = [aws_lb.ppud_internal_nlb[0].arn]
		5 |   tags = {
		6 |     Name = "HomeOffice-Endpoint"
		7 |   }
		8 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ppud_internal_nlb
	File: /endpointservice.tf:16-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ppud_internal_nlb" {
		17 |   count                      = local.is-production == true ? 1 : 0
		18 |   name                       = "ppud-internal-nlb"
		19 |   internal                   = true
		20 |   load_balancer_type         = "network"
		21 |   subnets                    = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id]
		22 |   security_groups            = [aws_security_group.PPUD-ALB.id]
		23 |   enable_deletion_protection = false # change it to true
		24 | 
		25 |   tags = {
		26 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		27 |   }
		28 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.ppud_internal_nlb
	File: /endpointservice.tf:16-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		16 | resource "aws_lb" "ppud_internal_nlb" {
		17 |   count                      = local.is-production == true ? 1 : 0
		18 |   name                       = "ppud-internal-nlb"
		19 |   internal                   = true
		20 |   load_balancer_type         = "network"
		21 |   subnets                    = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id]
		22 |   security_groups            = [aws_security_group.PPUD-ALB.id]
		23 |   enable_deletion_protection = false # change it to true
		24 | 
		25 |   tags = {
		26 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		27 |   }
		28 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ppud_internal_nlb
	File: /endpointservice.tf:16-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		16 | resource "aws_lb" "ppud_internal_nlb" {
		17 |   count                      = local.is-production == true ? 1 : 0
		18 |   name                       = "ppud-internal-nlb"
		19 |   internal                   = true
		20 |   load_balancer_type         = "network"
		21 |   subnets                    = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id]
		22 |   security_groups            = [aws_security_group.PPUD-ALB.id]
		23 |   enable_deletion_protection = false # change it to true
		24 | 
		25 |   tags = {
		26 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		27 |   }
		28 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.iam_policy_for_lambda
	File: /iam.tf:146-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		146 | resource "aws_iam_policy" "iam_policy_for_lambda" {
		147 |   count       = local.is-production == true ? 1 : 0
		148 |   name        = "aws_iam_policy_for_terraform_aws_lambda_role"
		149 |   path        = "/"
		150 |   description = "AWS IAM Policy for managing aws lambda role"
		151 |   policy      = <<EOF
		152 | {
		153 |  "Version": "2012-10-17",
		154 |  "Statement": [
		155 |    {
		156 |      "Effect": "Allow",
		157 |      "Action": [
		158 |        "logs:CreateLogGroup",
		159 |        "logs:CreateLogStream",
		160 |        "logs:PutLogEvents"
		161 |      ],
		162 |      "Resource": "arn:aws:logs:*:*:*"
		163 |     },
		164 |    {
		165 |      "Effect": "Allow",
		166 |      "Action": [
		167 |         "ec2:Start*",
		168 |         "ec2:Stop*"
		169 |       ],
		170 |       "Resource": "*"
		171 |    }
		172 |  ]
		173 | }
		174 | EOF
		175 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.iam_policy_for_lambda
	File: /iam.tf:146-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		146 | resource "aws_iam_policy" "iam_policy_for_lambda" {
		147 |   count       = local.is-production == true ? 1 : 0
		148 |   name        = "aws_iam_policy_for_terraform_aws_lambda_role"
		149 |   path        = "/"
		150 |   description = "AWS IAM Policy for managing aws lambda role"
		151 |   policy      = <<EOF
		152 | {
		153 |  "Version": "2012-10-17",
		154 |  "Statement": [
		155 |    {
		156 |      "Effect": "Allow",
		157 |      "Action": [
		158 |        "logs:CreateLogGroup",
		159 |        "logs:CreateLogStream",
		160 |        "logs:PutLogEvents"
		161 |      ],
		162 |      "Resource": "arn:aws:logs:*:*:*"
		163 |     },
		164 |    {
		165 |      "Effect": "Allow",
		166 |      "Action": [
		167 |         "ec2:Start*",
		168 |         "ec2:Stop*"
		169 |       ],
		170 |       "Resource": "*"
		171 |    }
		172 |  ]
		173 | }
		174 | EOF
		175 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw109
	File: /instances.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		5  | resource "aws_instance" "s609693lo6vw109" {
		6  |   count                  = local.is-development == true ? 1 : 0
		7  |   ami                    = "ami-013198324453e6dc3"
		8  |   instance_type          = "m5.large"
		9  |   vpc_security_group_ids = [aws_security_group.SCR-Team-Foundation-Server[0].id]
		10 |   source_dest_check      = false
		11 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		12 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   tags = {
		20 |     Name        = "s609693lo6vw109"
		21 |     patch_group = "dev_win_patch"
		22 |     backup      = true
		23 |   }
		24 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw109
	File: /instances.tf:5-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		5  | resource "aws_instance" "s609693lo6vw109" {
		6  |   count                  = local.is-development == true ? 1 : 0
		7  |   ami                    = "ami-013198324453e6dc3"
		8  |   instance_type          = "m5.large"
		9  |   vpc_security_group_ids = [aws_security_group.SCR-Team-Foundation-Server[0].id]
		10 |   source_dest_check      = false
		11 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		12 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		13 | 
		14 |   metadata_options {
		15 |     http_tokens   = "required"
		16 |     http_endpoint = "enabled"
		17 |   }
		18 | 
		19 |   tags = {
		20 |     Name        = "s609693lo6vw109"
		21 |     patch_group = "dev_win_patch"
		22 |     backup      = true
		23 |   }
		24 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw112
	File: /instances.tf:26-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		26 | resource "aws_instance" "s609693lo6vw112" {
		27 |   count                  = local.is-development == true ? 1 : 0
		28 |   ami                    = "ami-0be53fc5198dbd294"
		29 |   instance_type          = "m5.large"
		30 |   vpc_security_group_ids = [aws_security_group.SCR-Team-Foundation-Server[0].id]
		31 |   source_dest_check      = false
		32 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		33 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		34 | 
		35 |   metadata_options {
		36 |     http_tokens   = "required"
		37 |     http_endpoint = "enabled"
		38 |   }
		39 | 
		40 |   tags = {
		41 |     Name        = "s609693lo6vw112"
		42 |     patch_group = "dev_win_patch"
		43 |     backup      = true
		44 |   }
		45 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw112
	File: /instances.tf:26-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		26 | resource "aws_instance" "s609693lo6vw112" {
		27 |   count                  = local.is-development == true ? 1 : 0
		28 |   ami                    = "ami-0be53fc5198dbd294"
		29 |   instance_type          = "m5.large"
		30 |   vpc_security_group_ids = [aws_security_group.SCR-Team-Foundation-Server[0].id]
		31 |   source_dest_check      = false
		32 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		33 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		34 | 
		35 |   metadata_options {
		36 |     http_tokens   = "required"
		37 |     http_endpoint = "enabled"
		38 |   }
		39 | 
		40 |   tags = {
		41 |     Name        = "s609693lo6vw112"
		42 |     patch_group = "dev_win_patch"
		43 |     backup      = true
		44 |   }
		45 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw105
	File: /instances.tf:47-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		47 | resource "aws_instance" "s609693lo6vw105" {
		48 |   count                  = local.is-development == true ? 1 : 0
		49 |   ami                    = "ami-0edd8d3e58d106f40"
		50 |   instance_type          = "m5.large"
		51 |   source_dest_check      = false
		52 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		53 |   vpc_security_group_ids = [aws_security_group.WAM-Portal.id]
		54 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		55 | 
		56 |   metadata_options {
		57 |     http_tokens   = "required"
		58 |     http_endpoint = "enabled"
		59 |   }
		60 | 
		61 |   tags = {
		62 |     Name        = "s609693lo6vw105"
		63 |     patch_group = "dev_win_patch"
		64 |     backup      = true
		65 |   }
		66 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw105
	File: /instances.tf:47-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		47 | resource "aws_instance" "s609693lo6vw105" {
		48 |   count                  = local.is-development == true ? 1 : 0
		49 |   ami                    = "ami-0edd8d3e58d106f40"
		50 |   instance_type          = "m5.large"
		51 |   source_dest_check      = false
		52 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		53 |   vpc_security_group_ids = [aws_security_group.WAM-Portal.id]
		54 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		55 | 
		56 |   metadata_options {
		57 |     http_tokens   = "required"
		58 |     http_endpoint = "enabled"
		59 |   }
		60 | 
		61 |   tags = {
		62 |     Name        = "s609693lo6vw105"
		63 |     patch_group = "dev_win_patch"
		64 |     backup      = true
		65 |   }
		66 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw104
	File: /instances.tf:68-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		68 | resource "aws_instance" "s609693lo6vw104" {
		69 |   count                  = local.is-development == true ? 1 : 0
		70 |   ami                    = "ami-0f115a52a37278d93"
		71 |   instance_type          = "m5.large"
		72 |   source_dest_check      = false
		73 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		74 |   vpc_security_group_ids = [aws_security_group.WAM-Data-Access-Server.id]
		75 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		76 | 
		77 |   metadata_options {
		78 |     http_tokens   = "required"
		79 |     http_endpoint = "enabled"
		80 |   }
		81 | 
		82 |   tags = {
		83 |     Name        = "s609693lo6vw104"
		84 |     patch_group = "dev_win_patch"
		85 |     backup      = true
		86 |   }
		87 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw104
	File: /instances.tf:68-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		68 | resource "aws_instance" "s609693lo6vw104" {
		69 |   count                  = local.is-development == true ? 1 : 0
		70 |   ami                    = "ami-0f115a52a37278d93"
		71 |   instance_type          = "m5.large"
		72 |   source_dest_check      = false
		73 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		74 |   vpc_security_group_ids = [aws_security_group.WAM-Data-Access-Server.id]
		75 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		76 | 
		77 |   metadata_options {
		78 |     http_tokens   = "required"
		79 |     http_endpoint = "enabled"
		80 |   }
		81 | 
		82 |   tags = {
		83 |     Name        = "s609693lo6vw104"
		84 |     patch_group = "dev_win_patch"
		85 |     backup      = true
		86 |   }
		87 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw100
	File: /instances.tf:89-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		89  | resource "aws_instance" "s609693lo6vw100" {
		90  |   count                  = local.is-development == true ? 1 : 0
		91  |   ami                    = "ami-0fbad994892c0f0c4"
		92  |   instance_type          = "m5.large"
		93  |   source_dest_check      = false
		94  |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		95  |   vpc_security_group_ids = [aws_security_group.PPUD-Database-Server[0].id]
		96  |   subnet_id              = data.aws_subnet.private_subnets_a.id
		97  | 
		98  |   metadata_options {
		99  |     http_tokens   = "required"
		100 |     http_endpoint = "enabled"
		101 |   }
		102 | 
		103 |   tags = {
		104 |     Name        = "s609693lo6vw100"
		105 |     patch_group = "dev_win_patch"
		106 |     backup      = true
		107 |   }
		108 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw100
	File: /instances.tf:89-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		89  | resource "aws_instance" "s609693lo6vw100" {
		90  |   count                  = local.is-development == true ? 1 : 0
		91  |   ami                    = "ami-0fbad994892c0f0c4"
		92  |   instance_type          = "m5.large"
		93  |   source_dest_check      = false
		94  |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		95  |   vpc_security_group_ids = [aws_security_group.PPUD-Database-Server[0].id]
		96  |   subnet_id              = data.aws_subnet.private_subnets_a.id
		97  | 
		98  |   metadata_options {
		99  |     http_tokens   = "required"
		100 |     http_endpoint = "enabled"
		101 |   }
		102 | 
		103 |   tags = {
		104 |     Name        = "s609693lo6vw100"
		105 |     patch_group = "dev_win_patch"
		106 |     backup      = true
		107 |   }
		108 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw101
	File: /instances.tf:110-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		110 | resource "aws_instance" "s609693lo6vw101" {
		111 |   count                  = local.is-development == true ? 1 : 0
		112 |   ami                    = "ami-07315ed3a1b524be8"
		113 |   instance_type          = "m5.large"
		114 |   source_dest_check      = false
		115 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		116 |   vpc_security_group_ids = [aws_security_group.PPUD-WEB-Portal.id]
		117 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		118 | 
		119 |   metadata_options {
		120 |     http_tokens   = "required"
		121 |     http_endpoint = "enabled"
		122 |   }
		123 | 
		124 |   tags = {
		125 |     Name        = "s609693lo6vw101"
		126 |     patch_group = "dev_win_patch"
		127 |     backup      = true
		128 |   }
		129 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw101
	File: /instances.tf:110-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		110 | resource "aws_instance" "s609693lo6vw101" {
		111 |   count                  = local.is-development == true ? 1 : 0
		112 |   ami                    = "ami-07315ed3a1b524be8"
		113 |   instance_type          = "m5.large"
		114 |   source_dest_check      = false
		115 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		116 |   vpc_security_group_ids = [aws_security_group.PPUD-WEB-Portal.id]
		117 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		118 | 
		119 |   metadata_options {
		120 |     http_tokens   = "required"
		121 |     http_endpoint = "enabled"
		122 |   }
		123 | 
		124 |   tags = {
		125 |     Name        = "s609693lo6vw101"
		126 |     patch_group = "dev_win_patch"
		127 |     backup      = true
		128 |   }
		129 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw103
	File: /instances.tf:131-150
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		131 | resource "aws_instance" "s609693lo6vw103" {
		132 |   count                  = local.is-development == true ? 1 : 0
		133 |   ami                    = "ami-09bf383e2d58df1c7"
		134 |   instance_type          = "m5.large"
		135 |   source_dest_check      = false
		136 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		137 |   vpc_security_group_ids = [aws_security_group.Primary-DOC-Server[0].id]
		138 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		139 | 
		140 |   metadata_options {
		141 |     http_tokens   = "required"
		142 |     http_endpoint = "enabled"
		143 |   }
		144 | 
		145 |   tags = {
		146 |     Name        = "s609693lo6vw103"
		147 |     patch_group = "dev_win_patch"
		148 |     backup      = true
		149 |   }
		150 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw103
	File: /instances.tf:131-150
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		131 | resource "aws_instance" "s609693lo6vw103" {
		132 |   count                  = local.is-development == true ? 1 : 0
		133 |   ami                    = "ami-09bf383e2d58df1c7"
		134 |   instance_type          = "m5.large"
		135 |   source_dest_check      = false
		136 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		137 |   vpc_security_group_ids = [aws_security_group.Primary-DOC-Server[0].id]
		138 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		139 | 
		140 |   metadata_options {
		141 |     http_tokens   = "required"
		142 |     http_endpoint = "enabled"
		143 |   }
		144 | 
		145 |   tags = {
		146 |     Name        = "s609693lo6vw103"
		147 |     patch_group = "dev_win_patch"
		148 |     backup      = true
		149 |   }
		150 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw110
	File: /instances.tf:152-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		152 | resource "aws_instance" "s609693lo6vw110" {
		153 |   count                  = local.is-development == true ? 1 : 0
		154 |   ami                    = "ami-0c261875f6ed81278"
		155 |   instance_type          = "m5.large"
		156 |   source_dest_check      = false
		157 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		158 |   vpc_security_group_ids = [aws_security_group.Primary-DOC-Server[0].id]
		159 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		160 | 
		161 |   metadata_options {
		162 |     http_tokens   = "required"
		163 |     http_endpoint = "enabled"
		164 |   }
		165 | 
		166 |   tags = {
		167 |     Name        = "s609693lo6vw110"
		168 |     patch_group = "dev_win_patch"
		169 |     backup      = true
		170 |   }
		171 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw110
	File: /instances.tf:152-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		152 | resource "aws_instance" "s609693lo6vw110" {
		153 |   count                  = local.is-development == true ? 1 : 0
		154 |   ami                    = "ami-0c261875f6ed81278"
		155 |   instance_type          = "m5.large"
		156 |   source_dest_check      = false
		157 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		158 |   vpc_security_group_ids = [aws_security_group.Primary-DOC-Server[0].id]
		159 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		160 | 
		161 |   metadata_options {
		162 |     http_tokens   = "required"
		163 |     http_endpoint = "enabled"
		164 |   }
		165 | 
		166 |   tags = {
		167 |     Name        = "s609693lo6vw110"
		168 |     patch_group = "dev_win_patch"
		169 |     backup      = true
		170 |   }
		171 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw106
	File: /instances.tf:173-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		173 | resource "aws_instance" "s609693lo6vw106" {
		174 |   count                  = local.is-development == true ? 1 : 0
		175 |   ami                    = "ami-0f9ea6b08039bb33b"
		176 |   instance_type          = "m5.large"
		177 |   source_dest_check      = false
		178 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		179 |   vpc_security_group_ids = [aws_security_group.Dev-Box-VW106[0].id]
		180 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		181 | 
		182 |   metadata_options {
		183 |     http_tokens   = "required"
		184 |     http_endpoint = "enabled"
		185 |   }
		186 | 
		187 |   tags = {
		188 |     Name        = "s609693lo6vw106"
		189 |     patch_group = "dev_win_patch"
		190 |     backup      = true
		191 |   }
		192 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw106
	File: /instances.tf:173-192
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		173 | resource "aws_instance" "s609693lo6vw106" {
		174 |   count                  = local.is-development == true ? 1 : 0
		175 |   ami                    = "ami-0f9ea6b08039bb33b"
		176 |   instance_type          = "m5.large"
		177 |   source_dest_check      = false
		178 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		179 |   vpc_security_group_ids = [aws_security_group.Dev-Box-VW106[0].id]
		180 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		181 | 
		182 |   metadata_options {
		183 |     http_tokens   = "required"
		184 |     http_endpoint = "enabled"
		185 |   }
		186 | 
		187 |   tags = {
		188 |     Name        = "s609693lo6vw106"
		189 |     patch_group = "dev_win_patch"
		190 |     backup      = true
		191 |   }
		192 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw111
	File: /instances.tf:194-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		194 | resource "aws_instance" "s609693lo6vw111" {
		195 |   count                  = local.is-development == true ? 1 : 0
		196 |   ami                    = "ami-005cac270289ea0de"
		197 |   instance_type          = "m5.large"
		198 |   source_dest_check      = false
		199 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		200 |   vpc_security_group_ids = [aws_security_group.Dev-Box-VW106[0].id]
		201 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		202 | 
		203 |   metadata_options {
		204 |     http_tokens   = "required"
		205 |     http_endpoint = "enabled"
		206 |   }
		207 | 
		208 |   tags = {
		209 |     Name        = "s609693lo6vw111"
		210 |     patch_group = "dev_win_patch"
		211 |   }
		212 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw111
	File: /instances.tf:194-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		194 | resource "aws_instance" "s609693lo6vw111" {
		195 |   count                  = local.is-development == true ? 1 : 0
		196 |   ami                    = "ami-005cac270289ea0de"
		197 |   instance_type          = "m5.large"
		198 |   source_dest_check      = false
		199 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		200 |   vpc_security_group_ids = [aws_security_group.Dev-Box-VW106[0].id]
		201 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		202 | 
		203 |   metadata_options {
		204 |     http_tokens   = "required"
		205 |     http_endpoint = "enabled"
		206 |   }
		207 | 
		208 |   tags = {
		209 |     Name        = "s609693lo6vw111"
		210 |     patch_group = "dev_win_patch"
		211 |   }
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw107
	File: /instances.tf:214-233
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		214 | resource "aws_instance" "s609693lo6vw107" {
		215 |   count                  = local.is-development == true ? 1 : 0
		216 |   ami                    = "ami-04682227c9aa18702"
		217 |   instance_type          = "m5.large"
		218 |   source_dest_check      = false
		219 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		220 |   vpc_security_group_ids = [aws_security_group.Dev-Box-VW107[0].id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		222 | 
		223 |   metadata_options {
		224 |     http_tokens   = "required"
		225 |     http_endpoint = "enabled"
		226 |   }
		227 | 
		228 |   tags = {
		229 |     Name        = "s609693lo6vw107"
		230 |     patch_group = "dev_win_patch"
		231 |     backup      = true
		232 |   }
		233 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw107
	File: /instances.tf:214-233
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		214 | resource "aws_instance" "s609693lo6vw107" {
		215 |   count                  = local.is-development == true ? 1 : 0
		216 |   ami                    = "ami-04682227c9aa18702"
		217 |   instance_type          = "m5.large"
		218 |   source_dest_check      = false
		219 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		220 |   vpc_security_group_ids = [aws_security_group.Dev-Box-VW107[0].id]
		221 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		222 | 
		223 |   metadata_options {
		224 |     http_tokens   = "required"
		225 |     http_endpoint = "enabled"
		226 |   }
		227 | 
		228 |   tags = {
		229 |     Name        = "s609693lo6vw107"
		230 |     patch_group = "dev_win_patch"
		231 |     backup      = true
		232 |   }
		233 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.PPUDWEBSERVER2
	File: /instances.tf:235-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		235 | resource "aws_instance" "PPUDWEBSERVER2" {
		236 |   count                  = local.is-development == true ? 1 : 0
		237 |   ami                    = "ami-0852d4d5313264225"
		238 |   instance_type          = "m5.large"
		239 |   source_dest_check      = false
		240 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		241 |   vpc_security_group_ids = [aws_security_group.PPUD-WEB-Portal.id]
		242 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		243 | 
		244 |   metadata_options {
		245 |     http_tokens   = "required"
		246 |     http_endpoint = "enabled"
		247 |   }
		248 | 
		249 |   tags = {
		250 |     Name        = "PPUDWEBSERVER2"
		251 |     patch_group = "dev_win_patch"
		252 |     backup      = true
		253 |   }
		254 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.PPUDWEBSERVER2
	File: /instances.tf:235-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		235 | resource "aws_instance" "PPUDWEBSERVER2" {
		236 |   count                  = local.is-development == true ? 1 : 0
		237 |   ami                    = "ami-0852d4d5313264225"
		238 |   instance_type          = "m5.large"
		239 |   source_dest_check      = false
		240 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		241 |   vpc_security_group_ids = [aws_security_group.PPUD-WEB-Portal.id]
		242 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		243 | 
		244 |   metadata_options {
		245 |     http_tokens   = "required"
		246 |     http_endpoint = "enabled"
		247 |   }
		248 | 
		249 |   tags = {
		250 |     Name        = "PPUDWEBSERVER2"
		251 |     patch_group = "dev_win_patch"
		252 |     backup      = true
		253 |   }
		254 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw102
	File: /instances.tf:256-275
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		256 | resource "aws_instance" "s609693lo6vw102" {
		257 |   count                  = local.is-development == true ? 1 : 0
		258 |   ami                    = "ami-0640473a9b0267bac"
		259 |   instance_type          = "m5.large"
		260 |   source_dest_check      = false
		261 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		262 |   vpc_security_group_ids = [aws_security_group.Secondary-DOC-Server[0].id]
		263 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		264 | 
		265 |   metadata_options {
		266 |     http_tokens   = "required"
		267 |     http_endpoint = "enabled"
		268 |   }
		269 | 
		270 |   tags = {
		271 |     Name        = "s609693lo6vw102"
		272 |     patch_group = "dev_win_patch"
		273 |     backup      = true
		274 |   }
		275 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw102
	File: /instances.tf:256-275
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		256 | resource "aws_instance" "s609693lo6vw102" {
		257 |   count                  = local.is-development == true ? 1 : 0
		258 |   ami                    = "ami-0640473a9b0267bac"
		259 |   instance_type          = "m5.large"
		260 |   source_dest_check      = false
		261 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		262 |   vpc_security_group_ids = [aws_security_group.Secondary-DOC-Server[0].id]
		263 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		264 | 
		265 |   metadata_options {
		266 |     http_tokens   = "required"
		267 |     http_endpoint = "enabled"
		268 |   }
		269 | 
		270 |   tags = {
		271 |     Name        = "s609693lo6vw102"
		272 |     patch_group = "dev_win_patch"
		273 |     backup      = true
		274 |   }
		275 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s609693lo6vw108
	File: /instances.tf:277-296
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		277 | resource "aws_instance" "s609693lo6vw108" {
		278 |   count                  = local.is-development == true ? 1 : 0
		279 |   ami                    = "ami-0e0b7dbcff71ddd9c"
		280 |   instance_type          = "m5.large"
		281 |   source_dest_check      = false
		282 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		283 |   vpc_security_group_ids = [aws_security_group.Dev-Box-VW108[0].id]
		284 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		285 | 
		286 |   metadata_options {
		287 |     http_tokens   = "required"
		288 |     http_endpoint = "enabled"
		289 |   }
		290 | 
		291 |   tags = {
		292 |     Name        = "s609693lo6vw108"
		293 |     patch_group = "dev_win_patch"
		294 |     backup      = true
		295 |   }
		296 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s609693lo6vw108
	File: /instances.tf:277-296
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		277 | resource "aws_instance" "s609693lo6vw108" {
		278 |   count                  = local.is-development == true ? 1 : 0
		279 |   ami                    = "ami-0e0b7dbcff71ddd9c"
		280 |   instance_type          = "m5.large"
		281 |   source_dest_check      = false
		282 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		283 |   vpc_security_group_ids = [aws_security_group.Dev-Box-VW108[0].id]
		284 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		285 | 
		286 |   metadata_options {
		287 |     http_tokens   = "required"
		288 |     http_endpoint = "enabled"
		289 |   }
		290 | 
		291 |   tags = {
		292 |     Name        = "s609693lo6vw108"
		293 |     patch_group = "dev_win_patch"
		294 |     backup      = true
		295 |   }
		296 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgvw201
	File: /instances.tf:304-323
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		304 | resource "aws_instance" "s618358rgvw201" {
		305 |   count                  = local.is-preproduction == true ? 1 : 0
		306 |   ami                    = "ami-0d1cb68fb6c1f131b"
		307 |   instance_type          = "c5.large"
		308 |   source_dest_check      = false
		309 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		310 |   vpc_security_group_ids = [aws_security_group.WAM-Portal.id]
		311 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		312 | 
		313 |   metadata_options {
		314 |     http_tokens   = "required"
		315 |     http_endpoint = "enabled"
		316 |   }
		317 | 
		318 |   tags = {
		319 |     Name        = "s618358rgvw201"
		320 |     patch_group = "uat_win_patch"
		321 |     backup      = true
		322 |   }
		323 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgvw201
	File: /instances.tf:304-323
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		304 | resource "aws_instance" "s618358rgvw201" {
		305 |   count                  = local.is-preproduction == true ? 1 : 0
		306 |   ami                    = "ami-0d1cb68fb6c1f131b"
		307 |   instance_type          = "c5.large"
		308 |   source_dest_check      = false
		309 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		310 |   vpc_security_group_ids = [aws_security_group.WAM-Portal.id]
		311 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		312 | 
		313 |   metadata_options {
		314 |     http_tokens   = "required"
		315 |     http_endpoint = "enabled"
		316 |   }
		317 | 
		318 |   tags = {
		319 |     Name        = "s618358rgvw201"
		320 |     patch_group = "uat_win_patch"
		321 |     backup      = true
		322 |   }
		323 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.S618358RGVW202
	File: /instances.tf:325-344
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		325 | resource "aws_instance" "S618358RGVW202" {
		326 |   count                  = local.is-preproduction == true ? 1 : 0
		327 |   ami                    = "ami-0df4dcc477ff0fa3f"
		328 |   instance_type          = "m5.large"
		329 |   source_dest_check      = false
		330 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		331 |   vpc_security_group_ids = [aws_security_group.Bridge-Server[0].id]
		332 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		333 | 
		334 |   metadata_options {
		335 |     http_tokens   = "required"
		336 |     http_endpoint = "enabled"
		337 |   }
		338 | 
		339 |   tags = {
		340 |     Name        = "S618358RGVW202"
		341 |     patch_group = "uat_win_patch"
		342 |     backup      = true
		343 |   }
		344 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.S618358RGVW202
	File: /instances.tf:325-344
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		325 | resource "aws_instance" "S618358RGVW202" {
		326 |   count                  = local.is-preproduction == true ? 1 : 0
		327 |   ami                    = "ami-0df4dcc477ff0fa3f"
		328 |   instance_type          = "m5.large"
		329 |   source_dest_check      = false
		330 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		331 |   vpc_security_group_ids = [aws_security_group.Bridge-Server[0].id]
		332 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		333 | 
		334 |   metadata_options {
		335 |     http_tokens   = "required"
		336 |     http_endpoint = "enabled"
		337 |   }
		338 | 
		339 |   tags = {
		340 |     Name        = "S618358RGVW202"
		341 |     patch_group = "uat_win_patch"
		342 |     backup      = true
		343 |   }
		344 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgsw025
	File: /instances.tf:346-365
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		346 | resource "aws_instance" "s618358rgsw025" {
		347 |   count                  = local.is-preproduction == true ? 1 : 0
		348 |   ami                    = "ami-0ad4be40d57ecc994"
		349 |   instance_type          = "c5.4xlarge"
		350 |   source_dest_check      = false
		351 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		352 |   vpc_security_group_ids = [aws_security_group.WAM-Data-Access-Server.id]
		353 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		354 | 
		355 |   metadata_options {
		356 |     http_tokens   = "required"
		357 |     http_endpoint = "enabled"
		358 |   }
		359 | 
		360 |   tags = {
		361 |     Name        = "s618358rgsw025"
		362 |     patch_group = "uat_win_patch"
		363 |     backup      = true
		364 |   }
		365 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgsw025
	File: /instances.tf:346-365
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		346 | resource "aws_instance" "s618358rgsw025" {
		347 |   count                  = local.is-preproduction == true ? 1 : 0
		348 |   ami                    = "ami-0ad4be40d57ecc994"
		349 |   instance_type          = "c5.4xlarge"
		350 |   source_dest_check      = false
		351 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		352 |   vpc_security_group_ids = [aws_security_group.WAM-Data-Access-Server.id]
		353 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		354 | 
		355 |   metadata_options {
		356 |     http_tokens   = "required"
		357 |     http_endpoint = "enabled"
		358 |   }
		359 | 
		360 |   tags = {
		361 |     Name        = "s618358rgsw025"
		362 |     patch_group = "uat_win_patch"
		363 |     backup      = true
		364 |   }
		365 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgvw024
	File: /instances.tf:367-386
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		367 | resource "aws_instance" "s618358rgvw024" {
		368 |   count                  = local.is-preproduction == true ? 1 : 0
		369 |   ami                    = "ami-06bc4f0d8d949ba24"
		370 |   instance_type          = "m6i.2xlarge"
		371 |   source_dest_check      = false
		372 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		373 |   vpc_security_group_ids = [aws_security_group.UAT-Document-Service[0].id]
		374 |   subnet_id              = data.aws_subnet.data_subnets_a.id
		375 | 
		376 |   metadata_options {
		377 |     http_tokens   = "required"
		378 |     http_endpoint = "enabled"
		379 |   }
		380 | 
		381 |   tags = {
		382 |     Name        = "s618358rgvw024"
		383 |     patch_group = "uat_win_patch"
		384 |     backup      = true
		385 |   }
		386 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgvw024
	File: /instances.tf:367-386
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		367 | resource "aws_instance" "s618358rgvw024" {
		368 |   count                  = local.is-preproduction == true ? 1 : 0
		369 |   ami                    = "ami-06bc4f0d8d949ba24"
		370 |   instance_type          = "m6i.2xlarge"
		371 |   source_dest_check      = false
		372 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		373 |   vpc_security_group_ids = [aws_security_group.UAT-Document-Service[0].id]
		374 |   subnet_id              = data.aws_subnet.data_subnets_a.id
		375 | 
		376 |   metadata_options {
		377 |     http_tokens   = "required"
		378 |     http_endpoint = "enabled"
		379 |   }
		380 | 
		381 |   tags = {
		382 |     Name        = "s618358rgvw024"
		383 |     patch_group = "uat_win_patch"
		384 |     backup      = true
		385 |   }
		386 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgvw023
	File: /instances.tf:388-407
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		388 | resource "aws_instance" "s618358rgvw023" {
		389 |   count                  = local.is-preproduction == true ? 1 : 0
		390 |   ami                    = "ami-0f073b401ba3f1cff"
		391 |   instance_type          = "c5.large"
		392 |   source_dest_check      = false
		393 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		394 |   vpc_security_group_ids = [aws_security_group.PPUD-WEB-Portal.id]
		395 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		396 | 
		397 |   metadata_options {
		398 |     http_tokens   = "required"
		399 |     http_endpoint = "enabled"
		400 |   }
		401 | 
		402 |   tags = {
		403 |     Name        = "s618358rgvw023"
		404 |     patch_group = "uat_win_patch"
		405 |     backup      = true
		406 |   }
		407 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgvw023
	File: /instances.tf:388-407
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		388 | resource "aws_instance" "s618358rgvw023" {
		389 |   count                  = local.is-preproduction == true ? 1 : 0
		390 |   ami                    = "ami-0f073b401ba3f1cff"
		391 |   instance_type          = "c5.large"
		392 |   source_dest_check      = false
		393 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		394 |   vpc_security_group_ids = [aws_security_group.PPUD-WEB-Portal.id]
		395 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		396 | 
		397 |   metadata_options {
		398 |     http_tokens   = "required"
		399 |     http_endpoint = "enabled"
		400 |   }
		401 | 
		402 |   tags = {
		403 |     Name        = "s618358rgvw023"
		404 |     patch_group = "uat_win_patch"
		405 |     backup      = true
		406 |   }
		407 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgvw019
	File: /instances.tf:414-433
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		414 | resource "aws_instance" "s618358rgvw019" {
		415 |   count                  = local.is-production == true ? 1 : 0
		416 |   ami                    = "ami-01d04f2e4f8cea4dd"
		417 |   instance_type          = "c5.xlarge"
		418 |   source_dest_check      = false
		419 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		420 |   vpc_security_group_ids = [aws_security_group.PPUD-WEB-Portal.id]
		421 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		422 | 
		423 |   metadata_options {
		424 |     http_tokens   = "required"
		425 |     http_endpoint = "enabled"
		426 |   }
		427 | 
		428 |   tags = {
		429 |     Name          = "s618358rgvw019"
		430 |     patch_group   = "prod_win_patch"
		431 |     is-production = true
		432 |   }
		433 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgvw019
	File: /instances.tf:414-433
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		414 | resource "aws_instance" "s618358rgvw019" {
		415 |   count                  = local.is-production == true ? 1 : 0
		416 |   ami                    = "ami-01d04f2e4f8cea4dd"
		417 |   instance_type          = "c5.xlarge"
		418 |   source_dest_check      = false
		419 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		420 |   vpc_security_group_ids = [aws_security_group.PPUD-WEB-Portal.id]
		421 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		422 | 
		423 |   metadata_options {
		424 |     http_tokens   = "required"
		425 |     http_endpoint = "enabled"
		426 |   }
		427 | 
		428 |   tags = {
		429 |     Name          = "s618358rgvw019"
		430 |     patch_group   = "prod_win_patch"
		431 |     is-production = true
		432 |   }
		433 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgvw020
	File: /instances.tf:435-454
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		435 | resource "aws_instance" "s618358rgvw020" {
		436 |   count                  = local.is-production == true ? 1 : 0
		437 |   ami                    = "ami-0e49fc9838fdf33c4"
		438 |   instance_type          = "c5.xlarge"
		439 |   source_dest_check      = false
		440 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		441 |   vpc_security_group_ids = [aws_security_group.PPUD-WEB-Portal.id]
		442 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		443 | 
		444 |   metadata_options {
		445 |     http_tokens   = "required"
		446 |     http_endpoint = "enabled"
		447 |   }
		448 | 
		449 |   tags = {
		450 |     Name          = "s618358rgvw020"
		451 |     patch_group   = "prod_win_patch"
		452 |     is-production = true
		453 |   }
		454 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgvw020
	File: /instances.tf:435-454
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		435 | resource "aws_instance" "s618358rgvw020" {
		436 |   count                  = local.is-production == true ? 1 : 0
		437 |   ami                    = "ami-0e49fc9838fdf33c4"
		438 |   instance_type          = "c5.xlarge"
		439 |   source_dest_check      = false
		440 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		441 |   vpc_security_group_ids = [aws_security_group.PPUD-WEB-Portal.id]
		442 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		443 | 
		444 |   metadata_options {
		445 |     http_tokens   = "required"
		446 |     http_endpoint = "enabled"
		447 |   }
		448 | 
		449 |   tags = {
		450 |     Name          = "s618358rgvw020"
		451 |     patch_group   = "prod_win_patch"
		452 |     is-production = true
		453 |   }
		454 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgvw021
	File: /instances.tf:456-475
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		456 | resource "aws_instance" "s618358rgvw021" {
		457 |   count                  = local.is-production == true ? 1 : 0
		458 |   ami                    = "ami-05ddec53aa481cbc3"
		459 |   instance_type          = "m5.2xlarge"
		460 |   source_dest_check      = false
		461 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		462 |   vpc_security_group_ids = [aws_security_group.PPUD-PROD-Database[0].id]
		463 |   subnet_id              = data.aws_subnet.data_subnets_a.id
		464 | 
		465 |   metadata_options {
		466 |     http_tokens   = "required"
		467 |     http_endpoint = "enabled"
		468 |   }
		469 | 
		470 |   tags = {
		471 |     Name          = "s618358rgvw021"
		472 |     patch_group   = "prod_win_patch"
		473 |     is-production = true
		474 |   }
		475 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgvw021
	File: /instances.tf:456-475
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		456 | resource "aws_instance" "s618358rgvw021" {
		457 |   count                  = local.is-production == true ? 1 : 0
		458 |   ami                    = "ami-05ddec53aa481cbc3"
		459 |   instance_type          = "m5.2xlarge"
		460 |   source_dest_check      = false
		461 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		462 |   vpc_security_group_ids = [aws_security_group.PPUD-PROD-Database[0].id]
		463 |   subnet_id              = data.aws_subnet.data_subnets_a.id
		464 | 
		465 |   metadata_options {
		466 |     http_tokens   = "required"
		467 |     http_endpoint = "enabled"
		468 |   }
		469 | 
		470 |   tags = {
		471 |     Name          = "s618358rgvw021"
		472 |     patch_group   = "prod_win_patch"
		473 |     is-production = true
		474 |   }
		475 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgvw022
	File: /instances.tf:477-496
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		477 | resource "aws_instance" "s618358rgvw022" {
		478 |   count                  = local.is-production == true ? 1 : 0
		479 |   ami                    = "ami-02f8251c8cdf2464f"
		480 |   instance_type          = "m5.xlarge"
		481 |   source_dest_check      = false
		482 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		483 |   vpc_security_group_ids = [aws_security_group.Primary-DOC-Server[0].id]
		484 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		485 | 
		486 |   metadata_options {
		487 |     http_tokens   = "required"
		488 |     http_endpoint = "enabled"
		489 |   }
		490 | 
		491 |   tags = {
		492 |     Name          = "s618358rgvw022"
		493 |     patch_group   = "prod_win_patch"
		494 |     is-production = true
		495 |   }
		496 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgvw022
	File: /instances.tf:477-496
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		477 | resource "aws_instance" "s618358rgvw022" {
		478 |   count                  = local.is-production == true ? 1 : 0
		479 |   ami                    = "ami-02f8251c8cdf2464f"
		480 |   instance_type          = "m5.xlarge"
		481 |   source_dest_check      = false
		482 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		483 |   vpc_security_group_ids = [aws_security_group.Primary-DOC-Server[0].id]
		484 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		485 | 
		486 |   metadata_options {
		487 |     http_tokens   = "required"
		488 |     http_endpoint = "enabled"
		489 |   }
		490 | 
		491 |   tags = {
		492 |     Name          = "s618358rgvw022"
		493 |     patch_group   = "prod_win_patch"
		494 |     is-production = true
		495 |   }
		496 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgvw027
	File: /instances.tf:498-517
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		498 | resource "aws_instance" "s618358rgvw027" {
		499 |   count                  = local.is-production == true ? 1 : 0
		500 |   ami                    = "ami-0e203fec985af6465"
		501 |   instance_type          = "m5.xlarge"
		502 |   source_dest_check      = false
		503 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		504 |   vpc_security_group_ids = [aws_security_group.Secondary-DOC-Server[0].id]
		505 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		506 | 
		507 |   metadata_options {
		508 |     http_tokens   = "required"
		509 |     http_endpoint = "enabled"
		510 |   }
		511 | 
		512 |   tags = {
		513 |     Name          = "s618358rgvw027"
		514 |     patch_group   = "prod_win_patch"
		515 |     is-production = true
		516 |   }
		517 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgvw027
	File: /instances.tf:498-517
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		498 | resource "aws_instance" "s618358rgvw027" {
		499 |   count                  = local.is-production == true ? 1 : 0
		500 |   ami                    = "ami-0e203fec985af6465"
		501 |   instance_type          = "m5.xlarge"
		502 |   source_dest_check      = false
		503 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		504 |   vpc_security_group_ids = [aws_security_group.Secondary-DOC-Server[0].id]
		505 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		506 | 
		507 |   metadata_options {
		508 |     http_tokens   = "required"
		509 |     http_endpoint = "enabled"
		510 |   }
		511 | 
		512 |   tags = {
		513 |     Name          = "s618358rgvw027"
		514 |     patch_group   = "prod_win_patch"
		515 |     is-production = true
		516 |   }
		517 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgvw204
	File: /instances.tf:519-538
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		519 | resource "aws_instance" "s618358rgvw204" {
		520 |   count                  = local.is-production == true ? 1 : 0
		521 |   ami                    = "ami-0e8380f304bd2caab"
		522 |   instance_type          = "c5.xlarge"
		523 |   source_dest_check      = false
		524 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		525 |   vpc_security_group_ids = [aws_security_group.WAM-Portal.id]
		526 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		527 | 
		528 |   metadata_options {
		529 |     http_tokens   = "required"
		530 |     http_endpoint = "enabled"
		531 |   }
		532 | 
		533 |   tags = {
		534 |     Name          = "s618358rgvw204"
		535 |     patch_group   = "prod_win_patch"
		536 |     is-production = true
		537 |   }
		538 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgvw204
	File: /instances.tf:519-538
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		519 | resource "aws_instance" "s618358rgvw204" {
		520 |   count                  = local.is-production == true ? 1 : 0
		521 |   ami                    = "ami-0e8380f304bd2caab"
		522 |   instance_type          = "c5.xlarge"
		523 |   source_dest_check      = false
		524 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		525 |   vpc_security_group_ids = [aws_security_group.WAM-Portal.id]
		526 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		527 | 
		528 |   metadata_options {
		529 |     http_tokens   = "required"
		530 |     http_endpoint = "enabled"
		531 |   }
		532 | 
		533 |   tags = {
		534 |     Name          = "s618358rgvw204"
		535 |     patch_group   = "prod_win_patch"
		536 |     is-production = true
		537 |   }
		538 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgvw205
	File: /instances.tf:540-559
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		540 | resource "aws_instance" "s618358rgvw205" {
		541 |   count                  = local.is-production == true ? 1 : 0
		542 |   ami                    = "ami-0b6b39448c2d727c3"
		543 |   instance_type          = "c5.large"
		544 |   source_dest_check      = false
		545 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		546 |   vpc_security_group_ids = [aws_security_group.Bridge-Server[0].id]
		547 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		548 | 
		549 |   metadata_options {
		550 |     http_tokens   = "required"
		551 |     http_endpoint = "enabled"
		552 |   }
		553 | 
		554 |   tags = {
		555 |     Name          = "s618358rgvw205"
		556 |     patch_group   = "prod_win_patch"
		557 |     is-production = true
		558 |   }
		559 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgvw205
	File: /instances.tf:540-559
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		540 | resource "aws_instance" "s618358rgvw205" {
		541 |   count                  = local.is-production == true ? 1 : 0
		542 |   ami                    = "ami-0b6b39448c2d727c3"
		543 |   instance_type          = "c5.large"
		544 |   source_dest_check      = false
		545 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		546 |   vpc_security_group_ids = [aws_security_group.Bridge-Server[0].id]
		547 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		548 | 
		549 |   metadata_options {
		550 |     http_tokens   = "required"
		551 |     http_endpoint = "enabled"
		552 |   }
		553 | 
		554 |   tags = {
		555 |     Name          = "s618358rgvw205"
		556 |     patch_group   = "prod_win_patch"
		557 |     is-production = true
		558 |   }
		559 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s618358rgsw025p
	File: /instances.tf:562-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		562 | resource "aws_instance" "s618358rgsw025p" {
		563 |   count                  = local.is-production == true ? 1 : 0
		564 |   ami                    = "ami-0b8f6843db88aa8a6"
		565 |   instance_type          = "c5.4xlarge"
		566 |   source_dest_check      = false
		567 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		568 |   vpc_security_group_ids = [aws_security_group.WAM-Data-Access-Server.id]
		569 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		570 | 
		571 |   metadata_options {
		572 |     http_tokens   = "required"
		573 |     http_endpoint = "enabled"
		574 |   }
		575 | 
		576 |   tags = {
		577 |     Name        = "s618358rgsw025"
		578 |     patch_group = "prod_win_patch"
		579 |     backup      = true
		580 |   }
		581 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s618358rgsw025p
	File: /instances.tf:562-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		562 | resource "aws_instance" "s618358rgsw025p" {
		563 |   count                  = local.is-production == true ? 1 : 0
		564 |   ami                    = "ami-0b8f6843db88aa8a6"
		565 |   instance_type          = "c5.4xlarge"
		566 |   source_dest_check      = false
		567 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		568 |   vpc_security_group_ids = [aws_security_group.WAM-Data-Access-Server.id]
		569 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		570 | 
		571 |   metadata_options {
		572 |     http_tokens   = "required"
		573 |     http_endpoint = "enabled"
		574 |   }
		575 | 
		576 |   tags = {
		577 |     Name        = "s618358rgsw025"
		578 |     patch_group = "prod_win_patch"
		579 |     backup      = true
		580 |   }
		581 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s266316rgsl200
	File: /instances.tf:583-603
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		583 | resource "aws_instance" "s266316rgsl200" {
		584 |   count                  = local.is-production == true ? 1 : 0
		585 |   ami                    = "ami-0f43890c2b4907c29"
		586 |   instance_type          = "m5.large"
		587 |   source_dest_check      = false
		588 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		589 |   vpc_security_group_ids = [aws_security_group.PPUD-Mail-Server[0].id]
		590 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		591 |   key_name               = aws_key_pair.cjms_instance[0].key_name
		592 | 
		593 |   metadata_options {
		594 |     http_tokens   = "required"
		595 |     http_endpoint = "enabled"
		596 |   }
		597 | 
		598 |   tags = {
		599 |     Name          = "s266316rgsl200"
		600 |     is-production = true
		601 |     patch_group   = "prod_lin_patch"
		602 |   }
		603 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s266316rgsl200
	File: /instances.tf:583-603
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		583 | resource "aws_instance" "s266316rgsl200" {
		584 |   count                  = local.is-production == true ? 1 : 0
		585 |   ami                    = "ami-0f43890c2b4907c29"
		586 |   instance_type          = "m5.large"
		587 |   source_dest_check      = false
		588 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		589 |   vpc_security_group_ids = [aws_security_group.PPUD-Mail-Server[0].id]
		590 |   subnet_id              = data.aws_subnet.private_subnets_b.id
		591 |   key_name               = aws_key_pair.cjms_instance[0].key_name
		592 | 
		593 |   metadata_options {
		594 |     http_tokens   = "required"
		595 |     http_endpoint = "enabled"
		596 |   }
		597 | 
		598 |   tags = {
		599 |     Name          = "s266316rgsl200"
		600 |     is-production = true
		601 |     patch_group   = "prod_lin_patch"
		602 |   }
		603 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s265903rgsl400-non-cjsm
	File: /instances.tf:606-626
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		606 | resource "aws_instance" "s265903rgsl400-non-cjsm" {
		607 |   count                  = local.is-production == true ? 1 : 0
		608 |   ami                    = "ami-0f43890c2b4907c29"
		609 |   instance_type          = "m5.large"
		610 |   source_dest_check      = false
		611 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		612 |   vpc_security_group_ids = [aws_security_group.PPUD-Mail-Server-2[0].id]
		613 |   subnet_id              = data.aws_subnet.public_subnets_b.id
		614 |   key_name               = aws_key_pair.cjms_instance[0].key_name
		615 | 
		616 |   metadata_options {
		617 |     http_tokens   = "required"
		618 |     http_endpoint = "enabled"
		619 |   }
		620 | 
		621 |   tags = {
		622 |     Name          = "s265903rgsl400-non-cjsm"
		623 |     is-production = true
		624 |     patch_group   = "prod_lin_patch"
		625 |   }
		626 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s265903rgsl400-non-cjsm
	File: /instances.tf:606-626
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		606 | resource "aws_instance" "s265903rgsl400-non-cjsm" {
		607 |   count                  = local.is-production == true ? 1 : 0
		608 |   ami                    = "ami-0f43890c2b4907c29"
		609 |   instance_type          = "m5.large"
		610 |   source_dest_check      = false
		611 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		612 |   vpc_security_group_ids = [aws_security_group.PPUD-Mail-Server-2[0].id]
		613 |   subnet_id              = data.aws_subnet.public_subnets_b.id
		614 |   key_name               = aws_key_pair.cjms_instance[0].key_name
		615 | 
		616 |   metadata_options {
		617 |     http_tokens   = "required"
		618 |     http_endpoint = "enabled"
		619 |   }
		620 | 
		621 |   tags = {
		622 |     Name          = "s265903rgsl400-non-cjsm"
		623 |     is-production = true
		624 |     patch_group   = "prod_lin_patch"
		625 |   }
		626 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.s265903rgsl401-cjsm
	File: /instances.tf:628-648
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		628 | resource "aws_instance" "s265903rgsl401-cjsm" {
		629 |   count                  = local.is-production == true ? 1 : 0
		630 |   ami                    = "ami-0f43890c2b4907c29"
		631 |   instance_type          = "m5.large"
		632 |   source_dest_check      = false
		633 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		634 |   vpc_security_group_ids = [aws_security_group.PPUD-Mail-Server-2[0].id]
		635 |   subnet_id              = data.aws_subnet.public_subnets_c.id
		636 |   key_name               = aws_key_pair.cjms_instance[0].key_name
		637 | 
		638 |   metadata_options {
		639 |     http_tokens   = "required"
		640 |     http_endpoint = "enabled"
		641 |   }
		642 | 
		643 |   tags = {
		644 |     Name          = "s265903rgsl401-cjsm"
		645 |     is-production = true
		646 |     patch_group   = "prod_lin_patch"
		647 |   }
		648 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.s265903rgsl401-cjsm
	File: /instances.tf:628-648
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		628 | resource "aws_instance" "s265903rgsl401-cjsm" {
		629 |   count                  = local.is-production == true ? 1 : 0
		630 |   ami                    = "ami-0f43890c2b4907c29"
		631 |   instance_type          = "m5.large"
		632 |   source_dest_check      = false
		633 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		634 |   vpc_security_group_ids = [aws_security_group.PPUD-Mail-Server-2[0].id]
		635 |   subnet_id              = data.aws_subnet.public_subnets_c.id
		636 |   key_name               = aws_key_pair.cjms_instance[0].key_name
		637 | 
		638 |   metadata_options {
		639 |     http_tokens   = "required"
		640 |     http_endpoint = "enabled"
		641 |   }
		642 | 
		643 |   tags = {
		644 |     Name          = "s265903rgsl401-cjsm"
		645 |     is-production = true
		646 |     patch_group   = "prod_lin_patch"
		647 |   }
		648 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.docker-build-server
	File: /instances.tf:650-675
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		650 | resource "aws_instance" "docker-build-server" {
		651 |   count                  = local.is-production == true ? 1 : 0
		652 |   ami                    = "ami-050d499cfdd1ff7d4"
		653 |   instance_type          = "m5.large"
		654 |   source_dest_check      = false
		655 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		656 |   vpc_security_group_ids = [aws_security_group.docker-build-server[0].id]
		657 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		658 |   key_name               = aws_key_pair.cjms_instance[0].key_name
		659 |   root_block_device {
		660 |     delete_on_termination = true
		661 |     volume_size           = "40"
		662 |     volume_type           = "gp2"
		663 |   }
		664 | 
		665 |   metadata_options {
		666 |     http_tokens   = "required"
		667 |     http_endpoint = "enabled"
		668 |   }
		669 | 
		670 |   tags = {
		671 |     Name          = "docker-build-server"
		672 |     is-production = true
		673 |     patch_group   = "prod_lin_patch"
		674 |   }
		675 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.docker-build-server
	File: /instances.tf:650-675
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		650 | resource "aws_instance" "docker-build-server" {
		651 |   count                  = local.is-production == true ? 1 : 0
		652 |   ami                    = "ami-050d499cfdd1ff7d4"
		653 |   instance_type          = "m5.large"
		654 |   source_dest_check      = false
		655 |   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
		656 |   vpc_security_group_ids = [aws_security_group.docker-build-server[0].id]
		657 |   subnet_id              = data.aws_subnet.private_subnets_c.id
		658 |   key_name               = aws_key_pair.cjms_instance[0].key_name
		659 |   root_block_device {
		660 |     delete_on_termination = true
		661 |     volume_size           = "40"
		662 |     volume_type           = "gp2"
		663 |   }
		664 | 
		665 |   metadata_options {
		666 |     http_tokens   = "required"
		667 |     http_endpoint = "enabled"
		668 |   }
		669 | 
		670 |   tags = {
		671 |     Name          = "docker-build-server"
		672 |     is-production = true
		673 |     patch_group   = "prod_lin_patch"
		674 |   }
		675 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.sprinkler_ebs_encryption_policy_doc
	File: /kms.tf:11-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		11 | data "aws_iam_policy_document" "sprinkler_ebs_encryption_policy_doc" {
		12 |   # Allow root users full management access to key
		13 |   statement {
		14 |     effect = "Allow"
		15 |     actions = [
		16 |       "kms:*"
		17 |     ]
		18 | 
		19 |     resources = ["*"] # Represents the key to which this policy is attached
		20 | 
		21 |     # AWS should add the AWS account by default but adding here for visibility
		22 |     principals {
		23 |       type        = "AWS"
		24 |       identifiers = [data.aws_caller_identity.current.account_id] #
		25 |     }
		26 |   }
		27 | 
		28 |   # Allow all mod platform account to use this key so that they can launch ec2 instances based on AMIs backed by encrypted snapshots
		29 |   statement {
		30 |     effect = "Allow"
		31 |     actions = [
		32 |       "kms:DescribeKey",
		33 |       "kms:ReEncrypt*",
		34 |       "kms:CreateGrant",
		35 |       "kms:Decrypt"
		36 |     ]
		37 | 
		38 |     resources = ["*"]
		39 |     principals {
		40 |       type        = "AWS"
		41 |       identifiers = ["*"]
		42 |     }
		43 | 
		44 |     condition {
		45 |       test     = "ForAnyValue:StringLike"
		46 |       variable = "aws:PrincipalOrgPaths"
		47 |       values = [
		48 |         "${data.aws_organizations_organization.root_account.id}/*/${local.environment_management.modernisation_platform_organisation_unit_id}/*"
		49 |       ]
		50 |     }
		51 |   }
		52 | }
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.sprinkler_ebs_encryption_policy_doc
	File: /kms.tf:11-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		11 | data "aws_iam_policy_document" "sprinkler_ebs_encryption_policy_doc" {
		12 |   # Allow root users full management access to key
		13 |   statement {
		14 |     effect = "Allow"
		15 |     actions = [
		16 |       "kms:*"
		17 |     ]
		18 | 
		19 |     resources = ["*"] # Represents the key to which this policy is attached
		20 | 
		21 |     # AWS should add the AWS account by default but adding here for visibility
		22 |     principals {
		23 |       type        = "AWS"
		24 |       identifiers = [data.aws_caller_identity.current.account_id] #
		25 |     }
		26 |   }
		27 | 
		28 |   # Allow all mod platform account to use this key so that they can launch ec2 instances based on AMIs backed by encrypted snapshots
		29 |   statement {
		30 |     effect = "Allow"
		31 |     actions = [
		32 |       "kms:DescribeKey",
		33 |       "kms:ReEncrypt*",
		34 |       "kms:CreateGrant",
		35 |       "kms:Decrypt"
		36 |     ]
		37 | 
		38 |     resources = ["*"]
		39 |     principals {
		40 |       type        = "AWS"
		41 |       identifiers = ["*"]
		42 |     }
		43 | 
		44 |     condition {
		45 |       test     = "ForAnyValue:StringLike"
		46 |       variable = "aws:PrincipalOrgPaths"
		47 |       values = [
		48 |         "${data.aws_organizations_organization.root_account.id}/*/${local.environment_management.modernisation_platform_organisation_unit_id}/*"
		49 |       ]
		50 |     }
		51 |   }
		52 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.sprinkler_ebs_encryption_policy_doc
	File: /kms.tf:11-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		11 | data "aws_iam_policy_document" "sprinkler_ebs_encryption_policy_doc" {
		12 |   # Allow root users full management access to key
		13 |   statement {
		14 |     effect = "Allow"
		15 |     actions = [
		16 |       "kms:*"
		17 |     ]
		18 | 
		19 |     resources = ["*"] # Represents the key to which this policy is attached
		20 | 
		21 |     # AWS should add the AWS account by default but adding here for visibility
		22 |     principals {
		23 |       type        = "AWS"
		24 |       identifiers = [data.aws_caller_identity.current.account_id] #
		25 |     }
		26 |   }
		27 | 
		28 |   # Allow all mod platform account to use this key so that they can launch ec2 instances based on AMIs backed by encrypted snapshots
		29 |   statement {
		30 |     effect = "Allow"
		31 |     actions = [
		32 |       "kms:DescribeKey",
		33 |       "kms:ReEncrypt*",
		34 |       "kms:CreateGrant",
		35 |       "kms:Decrypt"
		36 |     ]
		37 | 
		38 |     resources = ["*"]
		39 |     principals {
		40 |       type        = "AWS"
		41 |       identifiers = ["*"]
		42 |     }
		43 | 
		44 |     condition {
		45 |       test     = "ForAnyValue:StringLike"
		46 |       variable = "aws:PrincipalOrgPaths"
		47 |       values = [
		48 |         "${data.aws_organizations_organization.root_account.id}/*/${local.environment_management.modernisation_platform_organisation_unit_id}/*"
		49 |       ]
		50 |     }
		51 |   }
		52 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_stop
	File: /lambda.tf:23-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		23 | resource "aws_lambda_function" "terraform_lambda_func_stop" {
		24 |   count         = local.is-production == true ? 1 : 0
		25 |   filename      = "${path.module}/stop-instance/StopEC2Instances.zip"
		26 |   function_name = "stop_Lambda_Function"
		27 |   role          = aws_iam_role.lambda_role[0].arn
		28 |   handler       = "StopEC2Instances.lambda_handler"
		29 |   runtime       = "python3.9"
		30 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
		31 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_stop
	File: /lambda.tf:23-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		23 | resource "aws_lambda_function" "terraform_lambda_func_stop" {
		24 |   count         = local.is-production == true ? 1 : 0
		25 |   filename      = "${path.module}/stop-instance/StopEC2Instances.zip"
		26 |   function_name = "stop_Lambda_Function"
		27 |   role          = aws_iam_role.lambda_role[0].arn
		28 |   handler       = "StopEC2Instances.lambda_handler"
		29 |   runtime       = "python3.9"
		30 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
		31 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_stop
	File: /lambda.tf:23-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		23 | resource "aws_lambda_function" "terraform_lambda_func_stop" {
		24 |   count         = local.is-production == true ? 1 : 0
		25 |   filename      = "${path.module}/stop-instance/StopEC2Instances.zip"
		26 |   function_name = "stop_Lambda_Function"
		27 |   role          = aws_iam_role.lambda_role[0].arn
		28 |   handler       = "StopEC2Instances.lambda_handler"
		29 |   runtime       = "python3.9"
		30 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
		31 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_stop
	File: /lambda.tf:23-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		23 | resource "aws_lambda_function" "terraform_lambda_func_stop" {
		24 |   count         = local.is-production == true ? 1 : 0
		25 |   filename      = "${path.module}/stop-instance/StopEC2Instances.zip"
		26 |   function_name = "stop_Lambda_Function"
		27 |   role          = aws_iam_role.lambda_role[0].arn
		28 |   handler       = "StopEC2Instances.lambda_handler"
		29 |   runtime       = "python3.9"
		30 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
		31 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_stop
	File: /lambda.tf:23-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		23 | resource "aws_lambda_function" "terraform_lambda_func_stop" {
		24 |   count         = local.is-production == true ? 1 : 0
		25 |   filename      = "${path.module}/stop-instance/StopEC2Instances.zip"
		26 |   function_name = "stop_Lambda_Function"
		27 |   role          = aws_iam_role.lambda_role[0].arn
		28 |   handler       = "StopEC2Instances.lambda_handler"
		29 |   runtime       = "python3.9"
		30 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
		31 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_start
	File: /lambda.tf:33-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		33 | resource "aws_lambda_function" "terraform_lambda_func_start" {
		34 |   count         = local.is-production == true ? 1 : 0
		35 |   filename      = "${path.module}/start-instance/StartEC2Instances.zip"
		36 |   function_name = "start_Lambda_Function"
		37 |   role          = aws_iam_role.lambda_role[0].arn
		38 |   handler       = "StartEC2Instances.lambda_handler"
		39 |   runtime       = "python3.9"
		40 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
		41 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_start
	File: /lambda.tf:33-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		33 | resource "aws_lambda_function" "terraform_lambda_func_start" {
		34 |   count         = local.is-production == true ? 1 : 0
		35 |   filename      = "${path.module}/start-instance/StartEC2Instances.zip"
		36 |   function_name = "start_Lambda_Function"
		37 |   role          = aws_iam_role.lambda_role[0].arn
		38 |   handler       = "StartEC2Instances.lambda_handler"
		39 |   runtime       = "python3.9"
		40 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
		41 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_start
	File: /lambda.tf:33-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		33 | resource "aws_lambda_function" "terraform_lambda_func_start" {
		34 |   count         = local.is-production == true ? 1 : 0
		35 |   filename      = "${path.module}/start-instance/StartEC2Instances.zip"
		36 |   function_name = "start_Lambda_Function"
		37 |   role          = aws_iam_role.lambda_role[0].arn
		38 |   handler       = "StartEC2Instances.lambda_handler"
		39 |   runtime       = "python3.9"
		40 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
		41 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_start
	File: /lambda.tf:33-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		33 | resource "aws_lambda_function" "terraform_lambda_func_start" {
		34 |   count         = local.is-production == true ? 1 : 0
		35 |   filename      = "${path.module}/start-instance/StartEC2Instances.zip"
		36 |   function_name = "start_Lambda_Function"
		37 |   role          = aws_iam_role.lambda_role[0].arn
		38 |   handler       = "StartEC2Instances.lambda_handler"
		39 |   runtime       = "python3.9"
		40 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
		41 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_start
	File: /lambda.tf:33-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		33 | resource "aws_lambda_function" "terraform_lambda_func_start" {
		34 |   count         = local.is-production == true ? 1 : 0
		35 |   filename      = "${path.module}/start-instance/StartEC2Instances.zip"
		36 |   function_name = "start_Lambda_Function"
		37 |   role          = aws_iam_role.lambda_role[0].arn
		38 |   handler       = "StartEC2Instances.lambda_handler"
		39 |   runtime       = "python3.9"
		40 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
		41 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.terraform_lambda_disable_cpu_alarm
	File: /lambda.tf:174-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		174 | resource "aws_lambda_function" "terraform_lambda_disable_cpu_alarm" {
		175 |   count         = local.is-production == true ? 1 : 0
		176 |   filename      = "${path.module}/lambda_scripts/disable_cpu_alarm.zip"
		177 |   function_name = "disable_cpu_alarm"
		178 |   role          = aws_iam_role.lambda_role_alarm_suppression[0].arn
		179 |   handler       = "disable_cpu_alarm.lambda_handler"
		180 |   runtime       = "python3.12"
		181 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression]
		182 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_disable_cpu_alarm
	File: /lambda.tf:174-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		174 | resource "aws_lambda_function" "terraform_lambda_disable_cpu_alarm" {
		175 |   count         = local.is-production == true ? 1 : 0
		176 |   filename      = "${path.module}/lambda_scripts/disable_cpu_alarm.zip"
		177 |   function_name = "disable_cpu_alarm"
		178 |   role          = aws_iam_role.lambda_role_alarm_suppression[0].arn
		179 |   handler       = "disable_cpu_alarm.lambda_handler"
		180 |   runtime       = "python3.12"
		181 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression]
		182 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.terraform_lambda_disable_cpu_alarm
	File: /lambda.tf:174-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		174 | resource "aws_lambda_function" "terraform_lambda_disable_cpu_alarm" {
		175 |   count         = local.is-production == true ? 1 : 0
		176 |   filename      = "${path.module}/lambda_scripts/disable_cpu_alarm.zip"
		177 |   function_name = "disable_cpu_alarm"
		178 |   role          = aws_iam_role.lambda_role_alarm_suppression[0].arn
		179 |   handler       = "disable_cpu_alarm.lambda_handler"
		180 |   runtime       = "python3.12"
		181 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression]
		182 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.terraform_lambda_disable_cpu_alarm
	File: /lambda.tf:174-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		174 | resource "aws_lambda_function" "terraform_lambda_disable_cpu_alarm" {
		175 |   count         = local.is-production == true ? 1 : 0
		176 |   filename      = "${path.module}/lambda_scripts/disable_cpu_alarm.zip"
		177 |   function_name = "disable_cpu_alarm"
		178 |   role          = aws_iam_role.lambda_role_alarm_suppression[0].arn
		179 |   handler       = "disable_cpu_alarm.lambda_handler"
		180 |   runtime       = "python3.12"
		181 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression]
		182 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_disable_cpu_alarm
	File: /lambda.tf:174-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		174 | resource "aws_lambda_function" "terraform_lambda_disable_cpu_alarm" {
		175 |   count         = local.is-production == true ? 1 : 0
		176 |   filename      = "${path.module}/lambda_scripts/disable_cpu_alarm.zip"
		177 |   function_name = "disable_cpu_alarm"
		178 |   role          = aws_iam_role.lambda_role_alarm_suppression[0].arn
		179 |   handler       = "disable_cpu_alarm.lambda_handler"
		180 |   runtime       = "python3.12"
		181 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression]
		182 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.terraform_lambda_enable_cpu_alarm
	File: /lambda.tf:186-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		186 | resource "aws_lambda_function" "terraform_lambda_enable_cpu_alarm" {
		187 |   count         = local.is-production == true ? 1 : 0
		188 |   filename      = "${path.module}/lambda_scripts/enable_cpu_alarm.zip"
		189 |   function_name = "enable_cpu_alarm"
		190 |   role          = aws_iam_role.lambda_role_alarm_suppression[0].arn
		191 |   handler       = "enable_cpu_alarm.lambda_handler"
		192 |   runtime       = "python3.12"
		193 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression]
		194 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_enable_cpu_alarm
	File: /lambda.tf:186-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		186 | resource "aws_lambda_function" "terraform_lambda_enable_cpu_alarm" {
		187 |   count         = local.is-production == true ? 1 : 0
		188 |   filename      = "${path.module}/lambda_scripts/enable_cpu_alarm.zip"
		189 |   function_name = "enable_cpu_alarm"
		190 |   role          = aws_iam_role.lambda_role_alarm_suppression[0].arn
		191 |   handler       = "enable_cpu_alarm.lambda_handler"
		192 |   runtime       = "python3.12"
		193 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression]
		194 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.terraform_lambda_enable_cpu_alarm
	File: /lambda.tf:186-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		186 | resource "aws_lambda_function" "terraform_lambda_enable_cpu_alarm" {
		187 |   count         = local.is-production == true ? 1 : 0
		188 |   filename      = "${path.module}/lambda_scripts/enable_cpu_alarm.zip"
		189 |   function_name = "enable_cpu_alarm"
		190 |   role          = aws_iam_role.lambda_role_alarm_suppression[0].arn
		191 |   handler       = "enable_cpu_alarm.lambda_handler"
		192 |   runtime       = "python3.12"
		193 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression]
		194 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.terraform_lambda_enable_cpu_alarm
	File: /lambda.tf:186-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		186 | resource "aws_lambda_function" "terraform_lambda_enable_cpu_alarm" {
		187 |   count         = local.is-production == true ? 1 : 0
		188 |   filename      = "${path.module}/lambda_scripts/enable_cpu_alarm.zip"
		189 |   function_name = "enable_cpu_alarm"
		190 |   role          = aws_iam_role.lambda_role_alarm_suppression[0].arn
		191 |   handler       = "enable_cpu_alarm.lambda_handler"
		192 |   runtime       = "python3.12"
		193 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression]
		194 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_enable_cpu_alarm
	File: /lambda.tf:186-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		186 | resource "aws_lambda_function" "terraform_lambda_enable_cpu_alarm" {
		187 |   count         = local.is-production == true ? 1 : 0
		188 |   filename      = "${path.module}/lambda_scripts/enable_cpu_alarm.zip"
		189 |   function_name = "enable_cpu_alarm"
		190 |   role          = aws_iam_role.lambda_role_alarm_suppression[0].arn
		191 |   handler       = "enable_cpu_alarm.lambda_handler"
		192 |   runtime       = "python3.12"
		193 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression]
		194 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_dev
	File: /lambda.tf:209-218
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		209 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev" {
		210 |   count         = local.is-development == true ? 1 : 0
		211 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_dev.zip"
		212 |   function_name = "terminate_cpu_process"
		213 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn
		214 |   handler       = "terminate_cpu_process_dev.lambda_handler"
		215 |   runtime       = "python3.12"
		216 |   timeout       = 300
		217 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
		218 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_dev
	File: /lambda.tf:209-218
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		209 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev" {
		210 |   count         = local.is-development == true ? 1 : 0
		211 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_dev.zip"
		212 |   function_name = "terminate_cpu_process"
		213 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn
		214 |   handler       = "terminate_cpu_process_dev.lambda_handler"
		215 |   runtime       = "python3.12"
		216 |   timeout       = 300
		217 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
		218 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_dev
	File: /lambda.tf:209-218
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		209 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev" {
		210 |   count         = local.is-development == true ? 1 : 0
		211 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_dev.zip"
		212 |   function_name = "terminate_cpu_process"
		213 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn
		214 |   handler       = "terminate_cpu_process_dev.lambda_handler"
		215 |   runtime       = "python3.12"
		216 |   timeout       = 300
		217 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
		218 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_dev
	File: /lambda.tf:209-218
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		209 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev" {
		210 |   count         = local.is-development == true ? 1 : 0
		211 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_dev.zip"
		212 |   function_name = "terminate_cpu_process"
		213 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn
		214 |   handler       = "terminate_cpu_process_dev.lambda_handler"
		215 |   runtime       = "python3.12"
		216 |   timeout       = 300
		217 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
		218 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_dev
	File: /lambda.tf:209-218
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		209 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev" {
		210 |   count         = local.is-development == true ? 1 : 0
		211 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_dev.zip"
		212 |   function_name = "terminate_cpu_process"
		213 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn
		214 |   handler       = "terminate_cpu_process_dev.lambda_handler"
		215 |   runtime       = "python3.12"
		216 |   timeout       = 300
		217 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
		218 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_uat
	File: /lambda.tf:242-251
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		242 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_uat" {
		243 |   count         = local.is-preproduction == true ? 1 : 0
		244 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_uat.zip"
		245 |   function_name = "terminate_cpu_process"
		246 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn
		247 |   handler       = "terminate_cpu_process_uat.lambda_handler"
		248 |   runtime       = "python3.12"
		249 |   timeout       = 300
		250 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat]
		251 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_uat
	File: /lambda.tf:242-251
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		242 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_uat" {
		243 |   count         = local.is-preproduction == true ? 1 : 0
		244 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_uat.zip"
		245 |   function_name = "terminate_cpu_process"
		246 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn
		247 |   handler       = "terminate_cpu_process_uat.lambda_handler"
		248 |   runtime       = "python3.12"
		249 |   timeout       = 300
		250 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat]
		251 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_uat
	File: /lambda.tf:242-251
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		242 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_uat" {
		243 |   count         = local.is-preproduction == true ? 1 : 0
		244 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_uat.zip"
		245 |   function_name = "terminate_cpu_process"
		246 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn
		247 |   handler       = "terminate_cpu_process_uat.lambda_handler"
		248 |   runtime       = "python3.12"
		249 |   timeout       = 300
		250 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat]
		251 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_uat
	File: /lambda.tf:242-251
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		242 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_uat" {
		243 |   count         = local.is-preproduction == true ? 1 : 0
		244 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_uat.zip"
		245 |   function_name = "terminate_cpu_process"
		246 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn
		247 |   handler       = "terminate_cpu_process_uat.lambda_handler"
		248 |   runtime       = "python3.12"
		249 |   timeout       = 300
		250 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat]
		251 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_uat
	File: /lambda.tf:242-251
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		242 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_uat" {
		243 |   count         = local.is-preproduction == true ? 1 : 0
		244 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_uat.zip"
		245 |   function_name = "terminate_cpu_process"
		246 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn
		247 |   handler       = "terminate_cpu_process_uat.lambda_handler"
		248 |   runtime       = "python3.12"
		249 |   timeout       = 300
		250 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat]
		251 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_prod
	File: /lambda.tf:275-284
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		275 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_prod" {
		276 |   count         = local.is-production == true ? 1 : 0
		277 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_prod.zip"
		278 |   function_name = "terminate_cpu_process"
		279 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn
		280 |   handler       = "terminate_cpu_process_prod.lambda_handler"
		281 |   runtime       = "python3.12"
		282 |   timeout       = 300
		283 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod]
		284 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_prod
	File: /lambda.tf:275-284
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		275 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_prod" {
		276 |   count         = local.is-production == true ? 1 : 0
		277 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_prod.zip"
		278 |   function_name = "terminate_cpu_process"
		279 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn
		280 |   handler       = "terminate_cpu_process_prod.lambda_handler"
		281 |   runtime       = "python3.12"
		282 |   timeout       = 300
		283 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod]
		284 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_prod
	File: /lambda.tf:275-284
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		275 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_prod" {
		276 |   count         = local.is-production == true ? 1 : 0
		277 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_prod.zip"
		278 |   function_name = "terminate_cpu_process"
		279 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn
		280 |   handler       = "terminate_cpu_process_prod.lambda_handler"
		281 |   runtime       = "python3.12"
		282 |   timeout       = 300
		283 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod]
		284 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_prod
	File: /lambda.tf:275-284
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		275 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_prod" {
		276 |   count         = local.is-production == true ? 1 : 0
		277 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_prod.zip"
		278 |   function_name = "terminate_cpu_process"
		279 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn
		280 |   handler       = "terminate_cpu_process_prod.lambda_handler"
		281 |   runtime       = "python3.12"
		282 |   timeout       = 300
		283 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod]
		284 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_prod
	File: /lambda.tf:275-284
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		275 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_prod" {
		276 |   count         = local.is-production == true ? 1 : 0
		277 |   filename      = "${path.module}/lambda_scripts/terminate_cpu_process_prod.zip"
		278 |   function_name = "terminate_cpu_process"
		279 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn
		280 |   handler       = "terminate_cpu_process_prod.lambda_handler"
		281 |   runtime       = "python3.12"
		282 |   timeout       = 300
		283 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod]
		284 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_dev
	File: /lambda.tf:308-317
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		308 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_dev" {
		309 |   count         = local.is-development == true ? 1 : 0
		310 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_dev.zip"
		311 |   function_name = "send_cpu_notification"
		312 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn
		313 |   handler       = "send_cpu_notification_dev.lambda_handler"
		314 |   runtime       = "python3.12"
		315 |   timeout       = 300
		316 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
		317 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_dev
	File: /lambda.tf:308-317
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		308 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_dev" {
		309 |   count         = local.is-development == true ? 1 : 0
		310 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_dev.zip"
		311 |   function_name = "send_cpu_notification"
		312 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn
		313 |   handler       = "send_cpu_notification_dev.lambda_handler"
		314 |   runtime       = "python3.12"
		315 |   timeout       = 300
		316 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
		317 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_dev
	File: /lambda.tf:308-317
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		308 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_dev" {
		309 |   count         = local.is-development == true ? 1 : 0
		310 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_dev.zip"
		311 |   function_name = "send_cpu_notification"
		312 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn
		313 |   handler       = "send_cpu_notification_dev.lambda_handler"
		314 |   runtime       = "python3.12"
		315 |   timeout       = 300
		316 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
		317 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_dev
	File: /lambda.tf:308-317
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		308 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_dev" {
		309 |   count         = local.is-development == true ? 1 : 0
		310 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_dev.zip"
		311 |   function_name = "send_cpu_notification"
		312 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn
		313 |   handler       = "send_cpu_notification_dev.lambda_handler"
		314 |   runtime       = "python3.12"
		315 |   timeout       = 300
		316 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
		317 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_dev
	File: /lambda.tf:308-317
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		308 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_dev" {
		309 |   count         = local.is-development == true ? 1 : 0
		310 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_dev.zip"
		311 |   function_name = "send_cpu_notification"
		312 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn
		313 |   handler       = "send_cpu_notification_dev.lambda_handler"
		314 |   runtime       = "python3.12"
		315 |   timeout       = 300
		316 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev]
		317 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_uat
	File: /lambda.tf:341-350
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		341 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_uat" {
		342 |   count         = local.is-preproduction == true ? 1 : 0
		343 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_uat.zip"
		344 |   function_name = "send_cpu_notification"
		345 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn
		346 |   handler       = "send_cpu_notification_uat.lambda_handler"
		347 |   runtime       = "python3.12"
		348 |   timeout       = 300
		349 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat]
		350 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_uat
	File: /lambda.tf:341-350
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		341 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_uat" {
		342 |   count         = local.is-preproduction == true ? 1 : 0
		343 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_uat.zip"
		344 |   function_name = "send_cpu_notification"
		345 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn
		346 |   handler       = "send_cpu_notification_uat.lambda_handler"
		347 |   runtime       = "python3.12"
		348 |   timeout       = 300
		349 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat]
		350 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_uat
	File: /lambda.tf:341-350
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		341 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_uat" {
		342 |   count         = local.is-preproduction == true ? 1 : 0
		343 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_uat.zip"
		344 |   function_name = "send_cpu_notification"
		345 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn
		346 |   handler       = "send_cpu_notification_uat.lambda_handler"
		347 |   runtime       = "python3.12"
		348 |   timeout       = 300
		349 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat]
		350 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_uat
	File: /lambda.tf:341-350
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		341 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_uat" {
		342 |   count         = local.is-preproduction == true ? 1 : 0
		343 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_uat.zip"
		344 |   function_name = "send_cpu_notification"
		345 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn
		346 |   handler       = "send_cpu_notification_uat.lambda_handler"
		347 |   runtime       = "python3.12"
		348 |   timeout       = 300
		349 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat]
		350 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_uat
	File: /lambda.tf:341-350
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		341 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_uat" {
		342 |   count         = local.is-preproduction == true ? 1 : 0
		343 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_uat.zip"
		344 |   function_name = "send_cpu_notification"
		345 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn
		346 |   handler       = "send_cpu_notification_uat.lambda_handler"
		347 |   runtime       = "python3.12"
		348 |   timeout       = 300
		349 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat]
		350 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_prod
	File: /lambda.tf:374-383
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		374 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_prod" {
		375 |   count         = local.is-production == true ? 1 : 0
		376 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_prod.zip"
		377 |   function_name = "send_cpu_notification"
		378 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn
		379 |   handler       = "send_cpu_notification_prod.lambda_handler"
		380 |   runtime       = "python3.12"
		381 |   timeout       = 300
		382 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod]
		383 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_prod
	File: /lambda.tf:374-383
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		374 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_prod" {
		375 |   count         = local.is-production == true ? 1 : 0
		376 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_prod.zip"
		377 |   function_name = "send_cpu_notification"
		378 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn
		379 |   handler       = "send_cpu_notification_prod.lambda_handler"
		380 |   runtime       = "python3.12"
		381 |   timeout       = 300
		382 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod]
		383 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_prod
	File: /lambda.tf:374-383
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		374 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_prod" {
		375 |   count         = local.is-production == true ? 1 : 0
		376 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_prod.zip"
		377 |   function_name = "send_cpu_notification"
		378 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn
		379 |   handler       = "send_cpu_notification_prod.lambda_handler"
		380 |   runtime       = "python3.12"
		381 |   timeout       = 300
		382 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod]
		383 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_prod
	File: /lambda.tf:374-383
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		374 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_prod" {
		375 |   count         = local.is-production == true ? 1 : 0
		376 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_prod.zip"
		377 |   function_name = "send_cpu_notification"
		378 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn
		379 |   handler       = "send_cpu_notification_prod.lambda_handler"
		380 |   runtime       = "python3.12"
		381 |   timeout       = 300
		382 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod]
		383 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_prod
	File: /lambda.tf:374-383
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		374 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_prod" {
		375 |   count         = local.is-production == true ? 1 : 0
		376 |   filename      = "${path.module}/lambda_scripts/send_cpu_notification_prod.zip"
		377 |   function_name = "send_cpu_notification"
		378 |   role          = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn
		379 |   handler       = "send_cpu_notification_prod.lambda_handler"
		380 |   runtime       = "python3.12"
		381 |   timeout       = 300
		382 |   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod]
		383 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:44-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		44 | module "pagerduty_core_alerts" {
		45 |   depends_on = [
		46 |     aws_sns_topic.ppud_ddos_alarm
		47 |   ]
		48 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		49 |   sns_topics                = [aws_sns_topic.ppud_ddos_alarm.name]
		50 |   pagerduty_integration_key = local.pagerduty_integration_keys["ddos_cloudwatch"]
		51 | }
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.PPUD
	File: /s3.tf:37-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		37 | resource "aws_s3_bucket_lifecycle_configuration" "PPUD" {
		38 |   count  = local.is-production == true ? 1 : 0
		39 |   bucket = aws_s3_bucket.PPUD[0].id
		40 |   rule {
		41 |     id     = "tf-s3-lifecycle"
		42 |     status = "Enabled"
		43 |     noncurrent_version_transition {
		44 |       noncurrent_days = 30
		45 |       storage_class   = "STANDARD_IA"
		46 |     }
		47 | 
		48 |     transition {
		49 |       days          = 60
		50 |       storage_class = "STANDARD_IA"
		51 |     }
		52 |   }
		53 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.MoJ-Health-Check-Reports
	File: /s3.tf:124-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		124 | resource "aws_s3_bucket_lifecycle_configuration" "MoJ-Health-Check-Reports" {
		125 |   bucket = aws_s3_bucket.MoJ-Health-Check-Reports.id
		126 |   rule {
		127 |     id     = "Remove_Old_SSM_Health_Check_Reports"
		128 |     status = "Enabled"
		129 | 
		130 |     filter {
		131 |       prefix = "ssm_output/"
		132 |     }
		133 | 
		134 |     noncurrent_version_transition {
		135 |       noncurrent_days = 183
		136 |       storage_class   = "STANDARD_IA"
		137 |     }
		138 | 
		139 |     transition {
		140 |       days          = 183
		141 |       storage_class = "STANDARD_IA"
		142 |     }
		143 |   }
		144 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.MoJ-Release-Management
	File: /s3.tf:245-262
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		245 | resource "aws_s3_bucket_lifecycle_configuration" "MoJ-Release-Management" {
		246 |   count  = local.is-production == true ? 1 : 0
		247 |   bucket = aws_s3_bucket.MoJ-Release-Management[0].id
		248 |   rule {
		249 |     id     = "Remove_Old_MoJ-Release-Management"
		250 |     status = "Enabled"
		251 | 
		252 |     noncurrent_version_transition {
		253 |       noncurrent_days = 30
		254 |       storage_class   = "STANDARD_IA"
		255 |     }
		256 | 
		257 |     transition {
		258 |       days          = 30
		259 |       storage_class = "STANDARD_IA"
		260 |     }
		261 |   }
		262 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secretdirectoryservice
	File: /secrets.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		14 | resource "aws_secretsmanager_secret" "secretdirectoryservice" {
		15 |   name                    = "AWSADPASS"
		16 |   recovery_window_in_days = 0
		17 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-WEB-Portal-ingress
	File: /security_group.tf:11-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		11 | resource "aws_security_group_rule" "PPUD-WEB-Portal-ingress" {
		12 |   type                     = "ingress"
		13 |   from_port                = 443
		14 |   to_port                  = 443
		15 |   protocol                 = "tcp"
		16 |   source_security_group_id = aws_security_group.PPUD-ALB.id
		17 |   security_group_id        = aws_security_group.PPUD-WEB-Portal.id
		18 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-WEB-Portal-ingress-1
	File: /security_group.tf:20-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		20 | resource "aws_security_group_rule" "PPUD-WEB-Portal-ingress-1" {
		21 |   type              = "ingress"
		22 |   from_port         = 80
		23 |   to_port           = 80
		24 |   protocol          = "tcp"
		25 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		26 |   security_group_id = aws_security_group.PPUD-WEB-Portal.id
		27 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-WEB-Portal-ingress-2
	File: /security_group.tf:29-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		29 | resource "aws_security_group_rule" "PPUD-WEB-Portal-ingress-2" {
		30 |   type              = "ingress"
		31 |   from_port         = 3389
		32 |   to_port           = 3389
		33 |   protocol          = "tcp"
		34 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		35 |   security_group_id = aws_security_group.PPUD-WEB-Portal.id
		36 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-WEB-Portal-egress
	File: /security_group.tf:38-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		38 | resource "aws_security_group_rule" "PPUD-WEB-Portal-egress" {
		39 |   type              = "egress"
		40 |   from_port         = 0
		41 |   to_port           = 0
		42 |   protocol          = "all"
		43 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		44 |   security_group_id = aws_security_group.PPUD-WEB-Portal.id
		45 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-WEB-Portal-egress-1
	File: /security_group.tf:47-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		47 | resource "aws_security_group_rule" "PPUD-WEB-Portal-egress-1" {
		48 |   type              = "egress"
		49 |   from_port         = 443
		50 |   to_port           = 443
		51 |   protocol          = "tcp"
		52 |   cidr_blocks       = ["0.0.0.0/0"]
		53 |   security_group_id = aws_security_group.PPUD-WEB-Portal.id
		54 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-WEB-Portal-egress-2
	File: /security_group.tf:56-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		56 | resource "aws_security_group_rule" "PPUD-WEB-Portal-egress-2" {
		57 |   type              = "egress"
		58 |   from_port         = 80
		59 |   to_port           = 80
		60 |   protocol          = "tcp"
		61 |   cidr_blocks       = ["0.0.0.0/0"]
		62 |   security_group_id = aws_security_group.PPUD-WEB-Portal.id
		63 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-Portal-ingress
	File: /security_group.tf:75-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		75 | resource "aws_security_group_rule" "WAM-Portal-ingress" {
		76 |   type              = "ingress"
		77 |   from_port         = 80
		78 |   to_port           = 80
		79 |   protocol          = "tcp"
		80 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		81 |   security_group_id = aws_security_group.WAM-Portal.id
		82 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-Portal-ingress-1
	File: /security_group.tf:84-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		84 | resource "aws_security_group_rule" "WAM-Portal-ingress-1" {
		85 |   type              = "ingress"
		86 |   from_port         = 3389
		87 |   to_port           = 3389
		88 |   protocol          = "tcp"
		89 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		90 |   security_group_id = aws_security_group.WAM-Portal.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-Portal-egress
	File: /security_group.tf:93-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		93  | resource "aws_security_group_rule" "WAM-Portal-egress" {
		94  |   type              = "egress"
		95  |   from_port         = 0
		96  |   to_port           = 0
		97  |   protocol          = "all"
		98  |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		99  |   security_group_id = aws_security_group.WAM-Portal.id
		100 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-Portal-egress-1
	File: /security_group.tf:102-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		102 | resource "aws_security_group_rule" "WAM-Portal-egress-1" {
		103 |   type              = "egress"
		104 |   from_port         = 443
		105 |   to_port           = 443
		106 |   protocol          = "tcp"
		107 |   cidr_blocks       = ["0.0.0.0/0"]
		108 |   security_group_id = aws_security_group.WAM-Portal.id
		109 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-Portal-egress-2
	File: /security_group.tf:111-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		111 | resource "aws_security_group_rule" "WAM-Portal-egress-2" {
		112 |   type              = "egress"
		113 |   from_port         = 80
		114 |   to_port           = 80
		115 |   protocol          = "tcp"
		116 |   cidr_blocks       = ["0.0.0.0/0"]
		117 |   security_group_id = aws_security_group.WAM-Portal.id
		118 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-Data-Access-Server-ingress
	File: /security_group.tf:130-137
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		130 | resource "aws_security_group_rule" "WAM-Data-Access-Server-ingress" {
		131 |   type              = "ingress"
		132 |   from_port         = 80
		133 |   to_port           = 80
		134 |   protocol          = "tcp"
		135 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		136 |   security_group_id = aws_security_group.WAM-Data-Access-Server.id
		137 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-Data-Access-Server-ingress-1
	File: /security_group.tf:139-146
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		139 | resource "aws_security_group_rule" "WAM-Data-Access-Server-ingress-1" {
		140 |   type              = "ingress"
		141 |   from_port         = 3389
		142 |   to_port           = 3389
		143 |   protocol          = "tcp"
		144 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		145 |   security_group_id = aws_security_group.WAM-Data-Access-Server.id
		146 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-Data-Access-Server-egress
	File: /security_group.tf:149-156
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		149 | resource "aws_security_group_rule" "WAM-Data-Access-Server-egress" {
		150 |   type              = "egress"
		151 |   from_port         = 0
		152 |   to_port           = 0
		153 |   protocol          = "all"
		154 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		155 |   security_group_id = aws_security_group.WAM-Data-Access-Server.id
		156 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-Data-Access-Server-Egress-1
	File: /security_group.tf:158-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		158 | resource "aws_security_group_rule" "WAM-Data-Access-Server-Egress-1" {
		159 |   type              = "egress"
		160 |   from_port         = 443
		161 |   to_port           = 443
		162 |   protocol          = "tcp"
		163 |   cidr_blocks       = ["0.0.0.0/0"]
		164 |   security_group_id = aws_security_group.WAM-Data-Access-Server.id
		165 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-Data-Access-Server-Egress-2
	File: /security_group.tf:167-174
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		167 | resource "aws_security_group_rule" "WAM-Data-Access-Server-Egress-2" {
		168 |   type              = "egress"
		169 |   from_port         = 80
		170 |   to_port           = 80
		171 |   protocol          = "tcp"
		172 |   cidr_blocks       = ["0.0.0.0/0"]
		173 |   security_group_id = aws_security_group.WAM-Data-Access-Server.id
		174 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.SCR-Team-Foundation-Server-Ingress
	File: /security_group.tf:187-195
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		187 | resource "aws_security_group_rule" "SCR-Team-Foundation-Server-Ingress" {
		188 |   count             = local.is-development == true ? 1 : 0
		189 |   type              = "ingress"
		190 |   from_port         = 8080
		191 |   to_port           = 8080
		192 |   protocol          = "tcp"
		193 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		194 |   security_group_id = aws_security_group.SCR-Team-Foundation-Server[0].id
		195 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.SCR-Team-Foundation-Server-Ingress-1
	File: /security_group.tf:197-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		197 | resource "aws_security_group_rule" "SCR-Team-Foundation-Server-Ingress-1" {
		198 |   count             = local.is-development == true ? 1 : 0
		199 |   type              = "ingress"
		200 |   from_port         = 80
		201 |   to_port           = 80
		202 |   protocol          = "tcp"
		203 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		204 |   security_group_id = aws_security_group.SCR-Team-Foundation-Server[0].id
		205 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.SCR-Team-Foundation-Server-Ingress-2
	File: /security_group.tf:207-215
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		207 | resource "aws_security_group_rule" "SCR-Team-Foundation-Server-Ingress-2" {
		208 |   count             = local.is-development == true ? 1 : 0
		209 |   type              = "ingress"
		210 |   from_port         = 3389
		211 |   to_port           = 3389
		212 |   protocol          = "tcp"
		213 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		214 |   security_group_id = aws_security_group.SCR-Team-Foundation-Server[0].id
		215 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.SCR-Team-Foundation-Server-Egress
	File: /security_group.tf:217-225
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		217 | resource "aws_security_group_rule" "SCR-Team-Foundation-Server-Egress" {
		218 |   count             = local.is-development == true ? 1 : 0
		219 |   type              = "egress"
		220 |   from_port         = 0
		221 |   to_port           = 0
		222 |   protocol          = "all"
		223 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		224 |   security_group_id = aws_security_group.SCR-Team-Foundation-Server[0].id
		225 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.SCR-Team-Foundation-Server-Egress-1
	File: /security_group.tf:227-235
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		227 | resource "aws_security_group_rule" "SCR-Team-Foundation-Server-Egress-1" {
		228 |   count             = local.is-development == true ? 1 : 0
		229 |   type              = "egress"
		230 |   from_port         = 443
		231 |   to_port           = 443
		232 |   protocol          = "tcp"
		233 |   cidr_blocks       = ["0.0.0.0/0"]
		234 |   security_group_id = aws_security_group.SCR-Team-Foundation-Server[0].id
		235 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.SCR-Team-Foundation-Server-Egress-2
	File: /security_group.tf:237-245
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		237 | resource "aws_security_group_rule" "SCR-Team-Foundation-Server-Egress-2" {
		238 |   count             = local.is-development == true ? 1 : 0
		239 |   type              = "egress"
		240 |   from_port         = 80
		241 |   to_port           = 80
		242 |   protocol          = "tcp"
		243 |   cidr_blocks       = ["0.0.0.0/0"]
		244 |   security_group_id = aws_security_group.SCR-Team-Foundation-Server[0].id
		245 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Dev-Box-VW106-Egress
	File: /security_group.tf:260-268
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		260 | resource "aws_security_group_rule" "Dev-Box-VW106-Egress" {
		261 |   count             = local.is-development == true ? 1 : 0
		262 |   type              = "egress"
		263 |   from_port         = 0
		264 |   to_port           = 0
		265 |   protocol          = "all"
		266 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		267 |   security_group_id = aws_security_group.Dev-Box-VW106[0].id
		268 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Dev-Box-VW106-Egress-1
	File: /security_group.tf:270-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		270 | resource "aws_security_group_rule" "Dev-Box-VW106-Egress-1" {
		271 |   count             = local.is-development == true ? 1 : 0
		272 |   type              = "egress"
		273 |   from_port         = 443
		274 |   to_port           = 443
		275 |   protocol          = "tcp"
		276 |   cidr_blocks       = ["0.0.0.0/0"]
		277 |   security_group_id = aws_security_group.Dev-Box-VW106[0].id
		278 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Dev-Box-VW106-Egress-2
	File: /security_group.tf:280-288
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		280 | resource "aws_security_group_rule" "Dev-Box-VW106-Egress-2" {
		281 |   count             = local.is-development == true ? 1 : 0
		282 |   type              = "egress"
		283 |   from_port         = 80
		284 |   to_port           = 80
		285 |   protocol          = "tcp"
		286 |   cidr_blocks       = ["0.0.0.0/0"]
		287 |   security_group_id = aws_security_group.Dev-Box-VW106[0].id
		288 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Dev-Box-VW107-Egress
	File: /security_group.tf:304-312
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		304 | resource "aws_security_group_rule" "Dev-Box-VW107-Egress" {
		305 |   count             = local.is-development == true ? 1 : 0
		306 |   type              = "egress"
		307 |   from_port         = 0
		308 |   to_port           = 0
		309 |   protocol          = "all"
		310 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		311 |   security_group_id = aws_security_group.Dev-Box-VW107[0].id
		312 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Dev-Box-VW107-Egress-1
	File: /security_group.tf:314-322
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		314 | resource "aws_security_group_rule" "Dev-Box-VW107-Egress-1" {
		315 |   count             = local.is-development == true ? 1 : 0
		316 |   type              = "egress"
		317 |   from_port         = 443
		318 |   to_port           = 443
		319 |   protocol          = "tcp"
		320 |   cidr_blocks       = ["0.0.0.0/0"]
		321 |   security_group_id = aws_security_group.Dev-Box-VW107[0].id
		322 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Dev-Box-VW107-Egress-2
	File: /security_group.tf:324-332
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		324 | resource "aws_security_group_rule" "Dev-Box-VW107-Egress-2" {
		325 |   count             = local.is-development == true ? 1 : 0
		326 |   type              = "egress"
		327 |   from_port         = 80
		328 |   to_port           = 80
		329 |   protocol          = "tcp"
		330 |   cidr_blocks       = ["0.0.0.0/0"]
		331 |   security_group_id = aws_security_group.Dev-Box-VW107[0].id
		332 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Dev-Box-VW108-Egress
	File: /security_group.tf:347-355
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		347 | resource "aws_security_group_rule" "Dev-Box-VW108-Egress" {
		348 |   count             = local.is-development == true ? 1 : 0
		349 |   type              = "egress"
		350 |   from_port         = 0
		351 |   to_port           = 0
		352 |   protocol          = "all"
		353 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		354 |   security_group_id = aws_security_group.Dev-Box-VW108[0].id
		355 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Dev-Box-VW108-Egress-1
	File: /security_group.tf:357-365
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		357 | resource "aws_security_group_rule" "Dev-Box-VW108-Egress-1" {
		358 |   count             = local.is-development == true ? 1 : 0
		359 |   type              = "egress"
		360 |   from_port         = 443
		361 |   to_port           = 443
		362 |   protocol          = "tcp"
		363 |   cidr_blocks       = ["0.0.0.0/0"]
		364 |   security_group_id = aws_security_group.Dev-Box-VW108[0].id
		365 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Dev-Box-VW108-Egress-2
	File: /security_group.tf:367-375
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		367 | resource "aws_security_group_rule" "Dev-Box-VW108-Egress-2" {
		368 |   count             = local.is-development == true ? 1 : 0
		369 |   type              = "egress"
		370 |   from_port         = 80
		371 |   to_port           = 80
		372 |   protocol          = "tcp"
		373 |   cidr_blocks       = ["0.0.0.0/0"]
		374 |   security_group_id = aws_security_group.Dev-Box-VW108[0].id
		375 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Primary-DOC-Server-Ingress
	File: /security_group.tf:388-396
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		388 | resource "aws_security_group_rule" "Primary-DOC-Server-Ingress" {
		389 |   count             = local.is-preproduction == false ? 1 : 0
		390 |   type              = "ingress"
		391 |   from_port         = 80
		392 |   to_port           = 80
		393 |   protocol          = "tcp"
		394 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		395 |   security_group_id = aws_security_group.Primary-DOC-Server[0].id
		396 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Primary-DOC-Server-Ingress-1
	File: /security_group.tf:398-406
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		398 | resource "aws_security_group_rule" "Primary-DOC-Server-Ingress-1" {
		399 |   count             = local.is-preproduction == false ? 1 : 0
		400 |   type              = "ingress"
		401 |   from_port         = 445
		402 |   to_port           = 445
		403 |   protocol          = "tcp"
		404 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		405 |   security_group_id = aws_security_group.Primary-DOC-Server[0].id
		406 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Primary-DOC-Server-Ingress-2
	File: /security_group.tf:408-416
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		408 | resource "aws_security_group_rule" "Primary-DOC-Server-Ingress-2" {
		409 |   count             = local.is-preproduction == false ? 1 : 0
		410 |   type              = "ingress"
		411 |   from_port         = 3389
		412 |   to_port           = 3389
		413 |   protocol          = "tcp"
		414 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		415 |   security_group_id = aws_security_group.Primary-DOC-Server[0].id
		416 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Primary-DOC-Server-Egress
	File: /security_group.tf:418-426
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		418 | resource "aws_security_group_rule" "Primary-DOC-Server-Egress" {
		419 |   count             = local.is-preproduction == false ? 1 : 0
		420 |   type              = "egress"
		421 |   from_port         = 0
		422 |   to_port           = 0
		423 |   protocol          = "all"
		424 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		425 |   security_group_id = aws_security_group.Primary-DOC-Server[0].id
		426 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Primary-DOC-Server-Egress-1
	File: /security_group.tf:428-436
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		428 | resource "aws_security_group_rule" "Primary-DOC-Server-Egress-1" {
		429 |   count             = local.is-preproduction == false ? 1 : 0
		430 |   type              = "egress"
		431 |   from_port         = 443
		432 |   to_port           = 443
		433 |   protocol          = "tcp"
		434 |   cidr_blocks       = ["0.0.0.0/0"]
		435 |   security_group_id = aws_security_group.Primary-DOC-Server[0].id
		436 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Primary-DOC-Server-Egress-2
	File: /security_group.tf:438-446
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		438 | resource "aws_security_group_rule" "Primary-DOC-Server-Egress-2" {
		439 |   count             = local.is-preproduction == false ? 1 : 0
		440 |   type              = "egress"
		441 |   from_port         = 80
		442 |   to_port           = 80
		443 |   protocol          = "tcp"
		444 |   cidr_blocks       = ["0.0.0.0/0"]
		445 |   security_group_id = aws_security_group.Primary-DOC-Server[0].id
		446 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Secondary-DOC-Server-Ingress
	File: /security_group.tf:460-468
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		460 | resource "aws_security_group_rule" "Secondary-DOC-Server-Ingress" {
		461 |   count             = local.is-preproduction == false ? 1 : 0
		462 |   type              = "ingress"
		463 |   from_port         = 80
		464 |   to_port           = 80
		465 |   protocol          = "tcp"
		466 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		467 |   security_group_id = aws_security_group.Secondary-DOC-Server[0].id
		468 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Secondary-DOC-Server-Ingress-1
	File: /security_group.tf:470-478
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		470 | resource "aws_security_group_rule" "Secondary-DOC-Server-Ingress-1" {
		471 |   count             = local.is-preproduction == false ? 1 : 0
		472 |   type              = "ingress"
		473 |   from_port         = 445
		474 |   to_port           = 445
		475 |   protocol          = "tcp"
		476 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		477 |   security_group_id = aws_security_group.Secondary-DOC-Server[0].id
		478 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Secondary-DOC-Server-Ingress-2
	File: /security_group.tf:480-488
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		480 | resource "aws_security_group_rule" "Secondary-DOC-Server-Ingress-2" {
		481 |   count             = local.is-preproduction == false ? 1 : 0
		482 |   type              = "ingress"
		483 |   from_port         = 3389
		484 |   to_port           = 3389
		485 |   protocol          = "tcp"
		486 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		487 |   security_group_id = aws_security_group.Secondary-DOC-Server[0].id
		488 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Secondary-DOC-Server-Egress
	File: /security_group.tf:490-498
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		490 | resource "aws_security_group_rule" "Secondary-DOC-Server-Egress" {
		491 |   count             = local.is-preproduction == false ? 1 : 0
		492 |   type              = "egress"
		493 |   from_port         = 0
		494 |   to_port           = 0
		495 |   protocol          = "all"
		496 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		497 |   security_group_id = aws_security_group.Secondary-DOC-Server[0].id
		498 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Secondary-DOC-Server-Egress-1
	File: /security_group.tf:500-508
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		500 | resource "aws_security_group_rule" "Secondary-DOC-Server-Egress-1" {
		501 |   count             = local.is-preproduction == false ? 1 : 0
		502 |   type              = "egress"
		503 |   from_port         = 443
		504 |   to_port           = 443
		505 |   protocol          = "tcp"
		506 |   cidr_blocks       = ["0.0.0.0/0"]
		507 |   security_group_id = aws_security_group.Secondary-DOC-Server[0].id
		508 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.Secondary-DOC-Server-Egress-2
	File: /security_group.tf:510-518
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		510 | resource "aws_security_group_rule" "Secondary-DOC-Server-Egress-2" {
		511 |   count             = local.is-preproduction == false ? 1 : 0
		512 |   type              = "egress"
		513 |   from_port         = 80
		514 |   to_port           = 80
		515 |   protocol          = "tcp"
		516 |   cidr_blocks       = ["0.0.0.0/0"]
		517 |   security_group_id = aws_security_group.Secondary-DOC-Server[0].id
		518 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Database-Server-Ingress
	File: /security_group.tf:531-539
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		531 | resource "aws_security_group_rule" "PPUD-Database-Server-Ingress" {
		532 |   count             = local.is-development == true ? 1 : 0
		533 |   type              = "ingress"
		534 |   from_port         = 1433
		535 |   to_port           = 1433
		536 |   protocol          = "tcp"
		537 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		538 |   security_group_id = aws_security_group.PPUD-Database-Server[0].id
		539 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Database-Server-Ingress-1
	File: /security_group.tf:541-549
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		541 | resource "aws_security_group_rule" "PPUD-Database-Server-Ingress-1" {
		542 |   count             = local.is-development == true ? 1 : 0
		543 |   type              = "ingress"
		544 |   from_port         = 3389
		545 |   to_port           = 3389
		546 |   protocol          = "tcp"
		547 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		548 |   security_group_id = aws_security_group.PPUD-Database-Server[0].id
		549 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Database-Server-Egress
	File: /security_group.tf:551-559
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		551 | resource "aws_security_group_rule" "PPUD-Database-Server-Egress" {
		552 |   count             = local.is-development == true ? 1 : 0
		553 |   type              = "egress"
		554 |   from_port         = 0
		555 |   to_port           = 0
		556 |   protocol          = "all"
		557 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		558 |   security_group_id = aws_security_group.PPUD-Database-Server[0].id
		559 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Database-Server-Egress-1
	File: /security_group.tf:561-569
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		561 | resource "aws_security_group_rule" "PPUD-Database-Server-Egress-1" {
		562 |   count             = local.is-development == true ? 1 : 0
		563 |   type              = "egress"
		564 |   from_port         = 443
		565 |   to_port           = 443
		566 |   protocol          = "tcp"
		567 |   cidr_blocks       = ["0.0.0.0/0"]
		568 |   security_group_id = aws_security_group.PPUD-Database-Server[0].id
		569 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Database-Server-Egress-2
	File: /security_group.tf:571-579
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		571 | resource "aws_security_group_rule" "PPUD-Database-Server-Egress-2" {
		572 |   count             = local.is-development == true ? 1 : 0
		573 |   type              = "egress"
		574 |   from_port         = 80
		575 |   to_port           = 80
		576 |   protocol          = "tcp"
		577 |   cidr_blocks       = ["0.0.0.0/0"]
		578 |   security_group_id = aws_security_group.PPUD-Database-Server[0].id
		579 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-ALB-Ingress
	File: /security_group.tf:591-598
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		591 | resource "aws_security_group_rule" "PPUD-ALB-Ingress" {
		592 |   type              = "ingress"
		593 |   from_port         = 443
		594 |   to_port           = 443
		595 |   protocol          = "tcp"
		596 |   cidr_blocks       = ["0.0.0.0/0"]
		597 |   security_group_id = aws_security_group.PPUD-ALB.id
		598 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-ALB-Egress
	File: /security_group.tf:600-607
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		600 | resource "aws_security_group_rule" "PPUD-ALB-Egress" {
		601 |   type              = "egress"
		602 |   from_port         = 443
		603 |   to_port           = 443
		604 |   protocol          = "tcp"
		605 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		606 |   security_group_id = aws_security_group.PPUD-ALB.id
		607 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-ALB-Egress-1
	File: /security_group.tf:609-616
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		609 | resource "aws_security_group_rule" "PPUD-ALB-Egress-1" {
		610 |   type              = "egress"
		611 |   from_port         = 80
		612 |   to_port           = 80
		613 |   protocol          = "tcp"
		614 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		615 |   security_group_id = aws_security_group.PPUD-ALB.id
		616 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-ALB-Ingress
	File: /security_group.tf:628-635
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		628 | resource "aws_security_group_rule" "WAM-ALB-Ingress" {
		629 |   type              = "ingress"
		630 |   from_port         = 443
		631 |   to_port           = 443
		632 |   protocol          = "tcp"
		633 |   cidr_blocks       = ["0.0.0.0/0"]
		634 |   security_group_id = aws_security_group.WAM-ALB.id
		635 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-ALB-Egress
	File: /security_group.tf:637-644
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		637 | resource "aws_security_group_rule" "WAM-ALB-Egress" {
		638 |   type              = "egress"
		639 |   from_port         = 80
		640 |   to_port           = 80
		641 |   protocol          = "tcp"
		642 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		643 |   security_group_id = aws_security_group.WAM-ALB.id
		644 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.WAM-ALB-Egress-1
	File: /security_group.tf:645-652
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		645 | resource "aws_security_group_rule" "WAM-ALB-Egress-1" {
		646 |   type              = "egress"
		647 |   from_port         = 443
		648 |   to_port           = 443
		649 |   protocol          = "tcp"
		650 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		651 |   security_group_id = aws_security_group.WAM-ALB.id
		652 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.UAT-Bridge-Server-Ingress
	File: /security_group.tf:665-673
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		665 | resource "aws_security_group_rule" "UAT-Bridge-Server-Ingress" {
		666 |   count             = local.is-development == false ? 1 : 0
		667 |   type              = "ingress"
		668 |   from_port         = 80
		669 |   to_port           = 80
		670 |   protocol          = "tcp"
		671 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		672 |   security_group_id = aws_security_group.Bridge-Server[0].id
		673 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.UAT-Bridge-Server-Ingress-1
	File: /security_group.tf:675-683
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		675 | resource "aws_security_group_rule" "UAT-Bridge-Server-Ingress-1" {
		676 |   count             = local.is-development == false ? 1 : 0
		677 |   type              = "ingress"
		678 |   from_port         = 3389
		679 |   to_port           = 3389
		680 |   protocol          = "tcp"
		681 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		682 |   security_group_id = aws_security_group.Bridge-Server[0].id
		683 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.UAT-Bridge-Server-Egress
	File: /security_group.tf:685-693
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		685 | resource "aws_security_group_rule" "UAT-Bridge-Server-Egress" {
		686 |   count             = local.is-development == false ? 1 : 0
		687 |   type              = "egress"
		688 |   from_port         = 0
		689 |   to_port           = 0
		690 |   protocol          = "all"
		691 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		692 |   security_group_id = aws_security_group.Bridge-Server[0].id
		693 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.UAT-Bridge-Server-Egress-1
	File: /security_group.tf:694-702
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		694 | resource "aws_security_group_rule" "UAT-Bridge-Server-Egress-1" {
		695 |   count             = local.is-development == false ? 1 : 0
		696 |   type              = "egress"
		697 |   from_port         = 443
		698 |   to_port           = 443
		699 |   protocol          = "tcp"
		700 |   cidr_blocks       = ["0.0.0.0/0"]
		701 |   security_group_id = aws_security_group.Bridge-Server[0].id
		702 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.UAT-Bridge-Server-Egress-2
	File: /security_group.tf:704-712
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		704 | resource "aws_security_group_rule" "UAT-Bridge-Server-Egress-2" {
		705 |   count             = local.is-development == false ? 1 : 0
		706 |   type              = "egress"
		707 |   from_port         = 80
		708 |   to_port           = 80
		709 |   protocol          = "tcp"
		710 |   cidr_blocks       = ["0.0.0.0/0"]
		711 |   security_group_id = aws_security_group.Bridge-Server[0].id
		712 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.UAT-Document-Service-Ingress
	File: /security_group.tf:725-733
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		725 | resource "aws_security_group_rule" "UAT-Document-Service-Ingress" {
		726 |   count             = local.is-preproduction == true ? 1 : 0
		727 |   type              = "ingress"
		728 |   from_port         = 80
		729 |   to_port           = 80
		730 |   protocol          = "tcp"
		731 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		732 |   security_group_id = aws_security_group.UAT-Document-Service[0].id
		733 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.UAT-Document-Service-Ingress-1
	File: /security_group.tf:735-743
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		735 | resource "aws_security_group_rule" "UAT-Document-Service-Ingress-1" {
		736 |   count             = local.is-preproduction == true ? 1 : 0
		737 |   type              = "ingress"
		738 |   from_port         = 1433
		739 |   to_port           = 1433
		740 |   protocol          = "tcp"
		741 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		742 |   security_group_id = aws_security_group.UAT-Document-Service[0].id
		743 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.UAT-Document-Service-Ingress-2
	File: /security_group.tf:745-753
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		745 | resource "aws_security_group_rule" "UAT-Document-Service-Ingress-2" {
		746 |   count             = local.is-preproduction == true ? 1 : 0
		747 |   type              = "ingress"
		748 |   from_port         = 3389
		749 |   to_port           = 3389
		750 |   protocol          = "tcp"
		751 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		752 |   security_group_id = aws_security_group.UAT-Document-Service[0].id
		753 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.UAT-Document-Service-Egress
	File: /security_group.tf:755-763
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		755 | resource "aws_security_group_rule" "UAT-Document-Service-Egress" {
		756 |   count             = local.is-preproduction == true ? 1 : 0
		757 |   type              = "egress"
		758 |   from_port         = 0
		759 |   to_port           = 0
		760 |   protocol          = "all"
		761 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		762 |   security_group_id = aws_security_group.UAT-Document-Service[0].id
		763 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.UAT-Document-Service-Egress-1
	File: /security_group.tf:765-773
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		765 | resource "aws_security_group_rule" "UAT-Document-Service-Egress-1" {
		766 |   count             = local.is-preproduction == true ? 1 : 0
		767 |   type              = "egress"
		768 |   from_port         = 443
		769 |   to_port           = 443
		770 |   protocol          = "tcp"
		771 |   cidr_blocks       = ["0.0.0.0/0"]
		772 |   security_group_id = aws_security_group.UAT-Document-Service[0].id
		773 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.UAT-Document-Service-Egress-2
	File: /security_group.tf:775-783
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		775 | resource "aws_security_group_rule" "UAT-Document-Service-Egress-2" {
		776 |   count             = local.is-preproduction == true ? 1 : 0
		777 |   type              = "egress"
		778 |   from_port         = 80
		779 |   to_port           = 80
		780 |   protocol          = "tcp"
		781 |   cidr_blocks       = ["0.0.0.0/0"]
		782 |   security_group_id = aws_security_group.UAT-Document-Service[0].id
		783 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-PROD-Database-Ingress
	File: /security_group.tf:796-804
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		796 | resource "aws_security_group_rule" "PPUD-PROD-Database-Ingress" {
		797 |   count             = local.is-production == true ? 1 : 0
		798 |   type              = "ingress"
		799 |   from_port         = 3180
		800 |   to_port           = 3180
		801 |   protocol          = "tcp"
		802 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		803 |   security_group_id = aws_security_group.PPUD-PROD-Database[0].id
		804 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-PROD-Database-Ingress-1
	File: /security_group.tf:806-814
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		806 | resource "aws_security_group_rule" "PPUD-PROD-Database-Ingress-1" {
		807 |   count             = local.is-production == true ? 1 : 0
		808 |   type              = "ingress"
		809 |   from_port         = 3389
		810 |   to_port           = 3389
		811 |   protocol          = "tcp"
		812 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		813 |   security_group_id = aws_security_group.PPUD-PROD-Database[0].id
		814 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-PROD-Database-Egress
	File: /security_group.tf:816-824
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		816 | resource "aws_security_group_rule" "PPUD-PROD-Database-Egress" {
		817 |   count             = local.is-production == true ? 1 : 0
		818 |   type              = "egress"
		819 |   from_port         = 0
		820 |   to_port           = 0
		821 |   protocol          = "all"
		822 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		823 |   security_group_id = aws_security_group.PPUD-PROD-Database[0].id
		824 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Database-Egress-1
	File: /security_group.tf:826-834
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		826 | resource "aws_security_group_rule" "PPUD-Database-Egress-1" {
		827 |   count             = local.is-production == true ? 1 : 0
		828 |   type              = "egress"
		829 |   from_port         = 443
		830 |   to_port           = 443
		831 |   protocol          = "tcp"
		832 |   cidr_blocks       = ["0.0.0.0/0"]
		833 |   security_group_id = aws_security_group.PPUD-PROD-Database[0].id
		834 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Database-Egress-2
	File: /security_group.tf:836-844
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		836 | resource "aws_security_group_rule" "PPUD-Database-Egress-2" {
		837 |   count             = local.is-production == true ? 1 : 0
		838 |   type              = "egress"
		839 |   from_port         = 80
		840 |   to_port           = 80
		841 |   protocol          = "tcp"
		842 |   cidr_blocks       = ["0.0.0.0/0"]
		843 |   security_group_id = aws_security_group.PPUD-PROD-Database[0].id
		844 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Mail-Server-Ingress
	File: /security_group.tf:857-865
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		857 | resource "aws_security_group_rule" "PPUD-Mail-Server-Ingress" {
		858 |   count             = local.is-production == true ? 1 : 0
		859 |   type              = "ingress"
		860 |   from_port         = 25
		861 |   to_port           = 25
		862 |   protocol          = "tcp"
		863 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		864 |   security_group_id = aws_security_group.PPUD-Mail-Server[0].id
		865 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Mail-Server-Egress
	File: /security_group.tf:867-875
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		867 | resource "aws_security_group_rule" "PPUD-Mail-Server-Egress" {
		868 |   count             = local.is-production == true ? 1 : 0
		869 |   type              = "egress"
		870 |   from_port         = 443
		871 |   to_port           = 443
		872 |   protocol          = "tcp"
		873 |   cidr_blocks       = ["0.0.0.0/0"]
		874 |   security_group_id = aws_security_group.PPUD-Mail-Server[0].id
		875 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Mail-Server-Egress-1
	File: /security_group.tf:877-885
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		877 | resource "aws_security_group_rule" "PPUD-Mail-Server-Egress-1" {
		878 |   count             = local.is-production == true ? 1 : 0
		879 |   type              = "egress"
		880 |   from_port         = 25
		881 |   to_port           = 25
		882 |   protocol          = "tcp"
		883 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		884 |   security_group_id = aws_security_group.PPUD-Mail-Server[0].id
		885 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Mail-Server-Egress-2
	File: /security_group.tf:887-895
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		887 | resource "aws_security_group_rule" "PPUD-Mail-Server-Egress-2" {
		888 |   count             = local.is-production == true ? 1 : 0
		889 |   type              = "egress"
		890 |   from_port         = 0
		891 |   to_port           = 0
		892 |   protocol          = "all"
		893 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		894 |   security_group_id = aws_security_group.PPUD-Mail-Server[0].id
		895 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Mail-Server-2-Ingress
	File: /security_group.tf:908-916
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		908 | resource "aws_security_group_rule" "PPUD-Mail-Server-2-Ingress" {
		909 |   count             = local.is-production == true ? 1 : 0
		910 |   type              = "ingress"
		911 |   from_port         = 25
		912 |   to_port           = 25
		913 |   protocol          = "tcp"
		914 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		915 |   security_group_id = aws_security_group.PPUD-Mail-Server-2[0].id
		916 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Mail-Server-2-Egress
	File: /security_group.tf:918-926
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		918 | resource "aws_security_group_rule" "PPUD-Mail-Server-2-Egress" {
		919 |   count             = local.is-production == true ? 1 : 0
		920 |   type              = "egress"
		921 |   from_port         = 443
		922 |   to_port           = 443
		923 |   protocol          = "tcp"
		924 |   cidr_blocks       = ["0.0.0.0/0"]
		925 |   security_group_id = aws_security_group.PPUD-Mail-Server-2[0].id
		926 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Mail-Server-2-Egress-1
	File: /security_group.tf:928-936
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		928 | resource "aws_security_group_rule" "PPUD-Mail-Server-2-Egress-1" {
		929 |   count             = local.is-production == true ? 1 : 0
		930 |   type              = "egress"
		931 |   from_port         = 0
		932 |   to_port           = 0
		933 |   protocol          = "all"
		934 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		935 |   security_group_id = aws_security_group.PPUD-Mail-Server-2[0].id
		936 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.PPUD-Mail-Server-2-Egress-2
	File: /security_group.tf:938-946
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		938 | resource "aws_security_group_rule" "PPUD-Mail-Server-2-Egress-2" {
		939 |   count             = local.is-production == true ? 1 : 0
		940 |   type              = "egress"
		941 |   from_port         = 25
		942 |   to_port           = 25
		943 |   protocol          = "tcp"
		944 |   cidr_blocks       = ["0.0.0.0/0"]
		945 |   security_group_id = aws_security_group.PPUD-Mail-Server-2[0].id
		946 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.docker-build-server-Egress
	File: /security_group.tf:961-969
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		961 | resource "aws_security_group_rule" "docker-build-server-Egress" {
		962 |   count             = local.is-production == true ? 1 : 0
		963 |   type              = "egress"
		964 |   from_port         = 443
		965 |   to_port           = 443
		966 |   protocol          = "tcp"
		967 |   cidr_blocks       = ["0.0.0.0/0"]
		968 |   security_group_id = aws_security_group.docker-build-server[0].id
		969 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.docker-build-server-Egress-1
	File: /security_group.tf:971-979
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		971 | resource "aws_security_group_rule" "docker-build-server-Egress-1" {
		972 |   count             = local.is-production == true ? 1 : 0
		973 |   type              = "egress"
		974 |   from_port         = 0
		975 |   to_port           = 0
		976 |   protocol          = "all"
		977 |   cidr_blocks       = [data.aws_vpc.shared.cidr_block]
		978 |   security_group_id = aws_security_group.docker-build-server[0].id
		979 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.docker-build-server-Egress-2
	File: /security_group.tf:981-989
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		981 | resource "aws_security_group_rule" "docker-build-server-Egress-2" {
		982 |   count             = local.is-production == true ? 1 : 0
		983 |   type              = "egress"
		984 |   from_port         = 80
		985 |   to_port           = 80
		986 |   protocol          = "tcp"
		987 |   cidr_blocks       = ["0.0.0.0/0"]
		988 |   security_group_id = aws_security_group.docker-build-server[0].id
		989 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		2 | resource "aws_sns_topic" "cw_alerts" {
		3 |   count = local.is-production == true ? 1 : 0
		4 |   name  = "ppud-prod-cw-alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_uat_alerts
	File: /sns.tf:22-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		22 | resource "aws_sns_topic" "cw_uat_alerts" {
		23 |   count = local.is-preproduction == true ? 1 : 0
		24 |   name  = "ppud-uat-cw-alerts"
		25 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.PPUD
	File: /s3.tf:6-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		6  | resource "aws_s3_bucket" "PPUD" {
		7  |   count  = local.is-production == true ? 1 : 0
		8  |   bucket = "${local.application_name}-ppud-files-${local.environment}"
		9  | 
		10 |   lifecycle {
		11 |     prevent_destroy = true
		12 |   }
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     {
		17 |       Name = "${local.application_name}-PPUD-S3"
		18 |     }
		19 |   )
		20 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.MoJ-Health-Check-Reports
	File: /s3.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		105 | resource "aws_s3_bucket" "MoJ-Health-Check-Reports" {
		106 |   bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3
		107 |   tags = merge(
		108 |     local.tags,
		109 |     {
		110 |       Name = "${local.application_name}-moj-health-check-reports"
		111 |     }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.moj-scripts
	File: /s3.tf:161-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		161 | resource "aws_s3_bucket" "moj-scripts" {
		162 |   count  = local.is-production == true ? 1 : 0
		163 |   bucket = "moj-scripts"
		164 |   tags = merge(
		165 |     local.tags,
		166 |     {
		167 |       Name = "${local.application_name}-moj-scripts"
		168 |     }
		169 |   )
		170 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.MoJ-Release-Management
	File: /s3.tf:226-235
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		226 | resource "aws_s3_bucket" "MoJ-Release-Management" {
		227 |   count  = local.is-production == true ? 1 : 0
		228 |   bucket = "moj-release-management"
		229 |   tags = merge(
		230 |     local.tags,
		231 |     {
		232 |       Name = "${local.application_name}-moj-release-management"
		233 |     }
		234 |   )
		235 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secretdirectoryservice
	File: /secrets.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		14 | resource "aws_secretsmanager_secret" "secretdirectoryservice" {
		15 |   name                    = "AWSADPASS"
		16 |   recovery_window_in_days = 0
		17 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.moj-scripts
	File: /s3.tf:161-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		161 | resource "aws_s3_bucket" "moj-scripts" {
		162 |   count  = local.is-production == true ? 1 : 0
		163 |   bucket = "moj-scripts"
		164 |   tags = merge(
		165 |     local.tags,
		166 |     {
		167 |       Name = "${local.application_name}-moj-scripts"
		168 |     }
		169 |   )
		170 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.PPUD
	File: /s3.tf:6-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		6  | resource "aws_s3_bucket" "PPUD" {
		7  |   count  = local.is-production == true ? 1 : 0
		8  |   bucket = "${local.application_name}-ppud-files-${local.environment}"
		9  | 
		10 |   lifecycle {
		11 |     prevent_destroy = true
		12 |   }
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     {
		17 |       Name = "${local.application_name}-PPUD-S3"
		18 |     }
		19 |   )
		20 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.MoJ-Health-Check-Reports
	File: /s3.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		105 | resource "aws_s3_bucket" "MoJ-Health-Check-Reports" {
		106 |   bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3
		107 |   tags = merge(
		108 |     local.tags,
		109 |     {
		110 |       Name = "${local.application_name}-moj-health-check-reports"
		111 |     }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.moj-scripts
	File: /s3.tf:161-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		161 | resource "aws_s3_bucket" "moj-scripts" {
		162 |   count  = local.is-production == true ? 1 : 0
		163 |   bucket = "moj-scripts"
		164 |   tags = merge(
		165 |     local.tags,
		166 |     {
		167 |       Name = "${local.application_name}-moj-scripts"
		168 |     }
		169 |   )
		170 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.MoJ-Release-Management
	File: /s3.tf:226-235
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		226 | resource "aws_s3_bucket" "MoJ-Release-Management" {
		227 |   count  = local.is-production == true ? 1 : 0
		228 |   bucket = "moj-release-management"
		229 |   tags = merge(
		230 |     local.tags,
		231 |     {
		232 |       Name = "${local.application_name}-moj-release-management"
		233 |     }
		234 |   )
		235 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.PPUD
	File: /s3.tf:6-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		6  | resource "aws_s3_bucket" "PPUD" {
		7  |   count  = local.is-production == true ? 1 : 0
		8  |   bucket = "${local.application_name}-ppud-files-${local.environment}"
		9  | 
		10 |   lifecycle {
		11 |     prevent_destroy = true
		12 |   }
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     {
		17 |       Name = "${local.application_name}-PPUD-S3"
		18 |     }
		19 |   )
		20 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.MoJ-Health-Check-Reports
	File: /s3.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		105 | resource "aws_s3_bucket" "MoJ-Health-Check-Reports" {
		106 |   bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3
		107 |   tags = merge(
		108 |     local.tags,
		109 |     {
		110 |       Name = "${local.application_name}-moj-health-check-reports"
		111 |     }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.moj-scripts
	File: /s3.tf:161-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		161 | resource "aws_s3_bucket" "moj-scripts" {
		162 |   count  = local.is-production == true ? 1 : 0
		163 |   bucket = "moj-scripts"
		164 |   tags = merge(
		165 |     local.tags,
		166 |     {
		167 |       Name = "${local.application_name}-moj-scripts"
		168 |     }
		169 |   )
		170 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.MoJ-Release-Management
	File: /s3.tf:226-235
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		226 | resource "aws_s3_bucket" "MoJ-Release-Management" {
		227 |   count  = local.is-production == true ? 1 : 0
		228 |   bucket = "moj-release-management"
		229 |   tags = merge(
		230 |     local.tags,
		231 |     {
		232 |       Name = "${local.application_name}-moj-release-management"
		233 |     }
		234 |   )
		235 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.PPUD
	File: /s3.tf:6-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		6  | resource "aws_s3_bucket" "PPUD" {
		7  |   count  = local.is-production == true ? 1 : 0
		8  |   bucket = "${local.application_name}-ppud-files-${local.environment}"
		9  | 
		10 |   lifecycle {
		11 |     prevent_destroy = true
		12 |   }
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     {
		17 |       Name = "${local.application_name}-PPUD-S3"
		18 |     }
		19 |   )
		20 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.MoJ-Health-Check-Reports
	File: /s3.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		105 | resource "aws_s3_bucket" "MoJ-Health-Check-Reports" {
		106 |   bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3
		107 |   tags = merge(
		108 |     local.tags,
		109 |     {
		110 |       Name = "${local.application_name}-moj-health-check-reports"
		111 |     }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.moj-scripts
	File: /s3.tf:161-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		161 | resource "aws_s3_bucket" "moj-scripts" {
		162 |   count  = local.is-production == true ? 1 : 0
		163 |   bucket = "moj-scripts"
		164 |   tags = merge(
		165 |     local.tags,
		166 |     {
		167 |       Name = "${local.application_name}-moj-scripts"
		168 |     }
		169 |   )
		170 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.MoJ-Release-Management
	File: /s3.tf:226-235
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		226 | resource "aws_s3_bucket" "MoJ-Release-Management" {
		227 |   count  = local.is-production == true ? 1 : 0
		228 |   bucket = "moj-release-management"
		229 |   tags = merge(
		230 |     local.tags,
		231 |     {
		232 |       Name = "${local.application_name}-moj-release-management"
		233 |     }
		234 |   )
		235 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.PPUD-ALB
	File: /alb_external.tf:4-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		4  | resource "aws_lb" "PPUD-ALB" {
		5  |   count              = local.is-development == true ? 1 : 0
		6  |   name               = "PPUD-ALB"
		7  |   internal           = false
		8  |   load_balancer_type = "application"
		9  |   security_groups    = [aws_security_group.PPUD-ALB.id]
		10 |   subnets            = [data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		11 | 
		12 |   enable_deletion_protection = true
		13 |   drop_invalid_header_fields = true
		14 | 
		15 |   tags = {
		16 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		17 |   }
		18 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.WAM-ALB
	File: /alb_external.tf:79-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		79 | resource "aws_lb" "WAM-ALB" {
		80 |   name               = local.application_data.accounts[local.environment].WAM_ALB
		81 |   internal           = false
		82 |   load_balancer_type = "application"
		83 |   security_groups    = [aws_security_group.WAM-ALB.id]
		84 |   subnets            = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id]
		85 | 
		86 |   enable_deletion_protection = true
		87 |   drop_invalid_header_fields = true
		88 | 
		89 |   tags = {
		90 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		91 |   }
		92 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/ppud

*****************************

Running tflint in terraform/environments/ppud
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/ppud/lambda.tf line 387:
 387: data "archive_file" "zip_the_send_cpu_notification_code_prod" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/ppud/secrets.tf line 4:
   4: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ppud

*****************************

Running Trivy in terraform/environments/ppud
2024-07-08T09:55:40Z	INFO	Need to update DB
2024-07-08T09:55:40Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-08T09:55:42Z	INFO	Vulnerability scanning is enabled
2024-07-08T09:55:42Z	INFO	Misconfiguration scanning is enabled
2024-07-08T09:55:42Z	INFO	Need to update the built-in policies
2024-07-08T09:55:42Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-08T09:55:42Z	INFO	Secret scanning is enabled
2024-07-08T09:55:42Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-08T09:55:42Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-08T09:55:43Z	INFO	Number of language-specific files	num=0
2024-07-08T09:55:43Z	INFO	Detected config files	num=8

alb_external.tf (terraform)
===========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb_external.tf:81
   via alb_external.tf:79-92 (aws_lb.WAM-ALB)
────────────────────────────────────────
  79   resource "aws_lb" "WAM-ALB" {
  ..   
  81 [   internal           = false
  ..   
  92   }
────────────────────────────────────────



iam.tf (terraform)
==================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


s3.tf (terraform)
=================
Tests: 7 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 s3.tf:105-113
────────────────────────────────────────
 105resource "aws_s3_bucket" "MoJ-Health-Check-Reports" {
 106 │   bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3
 107 │   tags = merge(
 108 │     local.tags,
 109 │     {
 110 │       Name = "${local.application_name}-moj-health-check-reports"
 111 │     }
 112 │   )
 113 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 s3.tf:105-113
────────────────────────────────────────
 105resource "aws_s3_bucket" "MoJ-Health-Check-Reports" {
 106 │   bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3
 107 │   tags = merge(
 108 │     local.tags,
 109 │     {
 110 │       Name = "${local.application_name}-moj-health-check-reports"
 111 │     }
 112 │   )
 113 └ }
────────────────────────────────────────



security_group.tf (terraform)
=============================
Tests: 39 (SUCCESSES: 25, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 0, CRITICAL: 14)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:52
   via security_group.tf:47-54 (aws_security_group_rule.PPUD-WEB-Portal-egress-1)
────────────────────────────────────────
  47   resource "aws_security_group_rule" "PPUD-WEB-Portal-egress-1" {
  48     type              = "egress"
  49     from_port         = 443
  50     to_port           = 443
  51     protocol          = "tcp"
  52 [   cidr_blocks       = ["0.0.0.0/0"]
  53     security_group_id = aws_security_group.PPUD-WEB-Portal.id
  54   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:61
   via security_group.tf:56-63 (aws_security_group_rule.PPUD-WEB-Portal-egress-2)
────────────────────────────────────────
  56   resource "aws_security_group_rule" "PPUD-WEB-Portal-egress-2" {
  57     type              = "egress"
  58     from_port         = 80
  59     to_port           = 80
  60     protocol          = "tcp"
  61 [   cidr_blocks       = ["0.0.0.0/0"]
  62     security_group_id = aws_security_group.PPUD-WEB-Portal.id
  63   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:434
   via security_group.tf:428-436 (aws_security_group_rule.Primary-DOC-Server-Egress-1[0])
────────────────────────────────────────
 428   resource "aws_security_group_rule" "Primary-DOC-Server-Egress-1" {
 429     count             = local.is-preproduction == false ? 1 : 0
 430     type              = "egress"
 431     from_port         = 443
 432     to_port           = 443
 433     protocol          = "tcp"
 434 [   cidr_blocks       = ["0.0.0.0/0"]
 435     security_group_id = aws_security_group.Primary-DOC-Server[0].id
 436   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:444
   via security_group.tf:438-446 (aws_security_group_rule.Primary-DOC-Server-Egress-2[0])
────────────────────────────────────────
 438   resource "aws_security_group_rule" "Primary-DOC-Server-Egress-2" {
 439     count             = local.is-preproduction == false ? 1 : 0
 440     type              = "egress"
 441     from_port         = 80
 442     to_port           = 80
 443     protocol          = "tcp"
 444 [   cidr_blocks       = ["0.0.0.0/0"]
 445     security_group_id = aws_security_group.Primary-DOC-Server[0].id
 446   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:506
   via security_group.tf:500-508 (aws_security_group_rule.Secondary-DOC-Server-Egress-1[0])
────────────────────────────────────────
 500   resource "aws_security_group_rule" "Secondary-DOC-Server-Egress-1" {
 501     count             = local.is-preproduction == false ? 1 : 0
 502     type              = "egress"
 503     from_port         = 443
 504     to_port           = 443
 505     protocol          = "tcp"
 506 [   cidr_blocks       = ["0.0.0.0/0"]
 507     security_group_id = aws_security_group.Secondary-DOC-Server[0].id
 508   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:516
   via security_group.tf:510-518 (aws_security_group_rule.Secondary-DOC-Server-Egress-2[0])
────────────────────────────────────────
 510   resource "aws_security_group_rule" "Secondary-DOC-Server-Egress-2" {
 511     count             = local.is-preproduction == false ? 1 : 0
 512     type              = "egress"
 513     from_port         = 80
 514     to_port           = 80
 515     protocol          = "tcp"
 516 [   cidr_blocks       = ["0.0.0.0/0"]
 517     security_group_id = aws_security_group.Secondary-DOC-Server[0].id
 518   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:700
   via security_group.tf:694-702 (aws_security_group_rule.UAT-Bridge-Server-Egress-1[0])
────────────────────────────────────────
 694   resource "aws_security_group_rule" "UAT-Bridge-Server-Egress-1" {
 695     count             = local.is-development == false ? 1 : 0
 696     type              = "egress"
 697     from_port         = 443
 698     to_port           = 443
 699     protocol          = "tcp"
 700 [   cidr_blocks       = ["0.0.0.0/0"]
 701     security_group_id = aws_security_group.Bridge-Server[0].id
 702   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:710
   via security_group.tf:704-712 (aws_security_group_rule.UAT-Bridge-Server-Egress-2[0])
────────────────────────────────────────
 704   resource "aws_security_group_rule" "UAT-Bridge-Server-Egress-2" {
 705     count             = local.is-development == false ? 1 : 0
 706     type              = "egress"
 707     from_port         = 80
 708     to_port           = 80
 709     protocol          = "tcp"
 710 [   cidr_blocks       = ["0.0.0.0/0"]
 711     security_group_id = aws_security_group.Bridge-Server[0].id
 712   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:163
   via security_group.tf:158-165 (aws_security_group_rule.WAM-Data-Access-Server-Egress-1)
────────────────────────────────────────
 158   resource "aws_security_group_rule" "WAM-Data-Access-Server-Egress-1" {
 159     type              = "egress"
 160     from_port         = 443
 161     to_port           = 443
 162     protocol          = "tcp"
 163 [   cidr_blocks       = ["0.0.0.0/0"]
 164     security_group_id = aws_security_group.WAM-Data-Access-Server.id
 165   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:172
   via security_group.tf:167-174 (aws_security_group_rule.WAM-Data-Access-Server-Egress-2)
────────────────────────────────────────
 167   resource "aws_security_group_rule" "WAM-Data-Access-Server-Egress-2" {
 168     type              = "egress"
 169     from_port         = 80
 170     to_port           = 80
 171     protocol          = "tcp"
 172 [   cidr_blocks       = ["0.0.0.0/0"]
 173     security_group_id = aws_security_group.WAM-Data-Access-Server.id
 174   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:107
   via security_group.tf:102-109 (aws_security_group_rule.WAM-Portal-egress-1)
────────────────────────────────────────
 102   resource "aws_security_group_rule" "WAM-Portal-egress-1" {
 103     type              = "egress"
 104     from_port         = 443
 105     to_port           = 443
 106     protocol          = "tcp"
 107 [   cidr_blocks       = ["0.0.0.0/0"]
 108     security_group_id = aws_security_group.WAM-Portal.id
 109   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 security_group.tf:116
   via security_group.tf:111-118 (aws_security_group_rule.WAM-Portal-egress-2)
────────────────────────────────────────
 111   resource "aws_security_group_rule" "WAM-Portal-egress-2" {
 112     type              = "egress"
 113     from_port         = 80
 114     to_port           = 80
 115     protocol          = "tcp"
 116 [   cidr_blocks       = ["0.0.0.0/0"]
 117     security_group_id = aws_security_group.WAM-Portal.id
 118   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 security_group.tf:596
   via security_group.tf:591-598 (aws_security_group_rule.PPUD-ALB-Ingress)
────────────────────────────────────────
 591   resource "aws_security_group_rule" "PPUD-ALB-Ingress" {
 592     type              = "ingress"
 593     from_port         = 443
 594     to_port           = 443
 595     protocol          = "tcp"
 596 [   cidr_blocks       = ["0.0.0.0/0"]
 597     security_group_id = aws_security_group.PPUD-ALB.id
 598   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 security_group.tf:633
   via security_group.tf:628-635 (aws_security_group_rule.WAM-ALB-Ingress)
────────────────────────────────────────
 628   resource "aws_security_group_rule" "WAM-ALB-Ingress" {
 629     type              = "ingress"
 630     from_port         = 443
 631     to_port           = 443
 632     protocol          = "tcp"
 633 [   cidr_blocks       = ["0.0.0.0/0"]
 634     security_group_id = aws_security_group.WAM-ALB.id
 635   }
────────────────────────────────────────


trivy_exitcode=1

@nbuckingham72 nbuckingham72 merged commit 8043598 into main Jul 8, 2024
13 of 14 checks passed
@nbuckingham72 nbuckingham72 deleted the Update_080724 branch July 8, 2024 09:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SteveLinden SteveLinden SteveLinden approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nbuckingham72 @SteveLinden