Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DV_GluJob_V4c-Archived_V4d_Created #7091

Merged
merged 16 commits into from
Jul 16, 2024
Merged

DV_GluJob_V4c-Archived_V4d_Created #7091

merged 16 commits into from
Jul 16, 2024

Conversation

madhu-k-sr2
Copy link
Contributor

No description provided.

@madhu-k-sr2 madhu-k-sr2 requested review from a team as code owners July 15, 2024 08:28
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jul 15, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T08:30:22Z INFO Need to update DB
2024-07-15T08:30:22Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T08:30:25Z INFO Vulnerability scanning is enabled
2024-07-15T08:30:25Z INFO Misconfiguration scanning is enabled
2024-07-15T08:30:25Z INFO Need to update the built-in policies
2024-07-15T08:30:25Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T08:30:25Z INFO Secret scanning is enabled
2024-07-15T08:30:25Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T08:30:25Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T08:30:25Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-15T08:30:30Z INFO Number of language-specific files num=1
2024-07-15T08:30:30Z INFO [pip] Detecting vulnerabilities...
2024-07-15T08:30:30Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-15 08:30:33,354 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-15 08:30:33,354 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1525, Failed checks: 98, Skipped checks: 10

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:88-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:147-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:203-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		203 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		204 |   name              = "catalog-dv-table-glue-job"
		205 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		206 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		207 |   glue_version      = "4.0"
		208 |   worker_type       = "G.1X"
		209 |   number_of_workers = 2
		210 |   default_arguments = {
		211 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		212 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		213 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		214 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		215 |     "--enable-continuous-cloudwatch-log" = "true"
		216 |     "--enable-continuous-log-filter"     = "true"
		217 |     "--enable-metrics"                   = ""
		218 |   }
		219 |   command {
		220 |     python_version  = "3"
		221 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		222 |   }
		223 | 
		224 |   tags = merge(
		225 |     local.tags,
		226 |     {
		227 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		228 |     }
		229 |   )
		230 | 
		231 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:
 191: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T08:30:22Z	INFO	Need to update DB
2024-07-15T08:30:22Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T08:30:25Z	INFO	Vulnerability scanning is enabled
2024-07-15T08:30:25Z	INFO	Misconfiguration scanning is enabled
2024-07-15T08:30:25Z	INFO	Need to update the built-in policies
2024-07-15T08:30:25Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T08:30:25Z	INFO	Secret scanning is enabled
2024-07-15T08:30:25Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T08:30:25Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T08:30:25Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-15T08:30:30Z	INFO	Number of language-specific files	num=1
2024-07-15T08:30:30Z	INFO	[pip] Detecting vulnerabilities...
2024-07-15T08:30:30Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-development July 15, 2024 08:48 — with GitHub Actions Failure
@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-development July 15, 2024 09:31 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T09:32:14Z INFO Need to update DB
2024-07-15T09:32:14Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T09:32:16Z INFO Vulnerability scanning is enabled
2024-07-15T09:32:16Z INFO Misconfiguration scanning is enabled
2024-07-15T09:32:16Z INFO Need to update the built-in policies
2024-07-15T09:32:16Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T09:32:16Z INFO Secret scanning is enabled
2024-07-15T09:32:16Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T09:32:16Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T09:32:16Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-15T09:32:20Z INFO Number of language-specific files num=1
2024-07-15T09:32:20Z INFO [pip] Detecting vulnerabilities...
2024-07-15T09:32:20Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-15 09:32:22,502 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-15 09:32:22,503 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1525, Failed checks: 98, Skipped checks: 10

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:88-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:147-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:203-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		203 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		204 |   name              = "catalog-dv-table-glue-job"
		205 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		206 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		207 |   glue_version      = "4.0"
		208 |   worker_type       = "G.1X"
		209 |   number_of_workers = 2
		210 |   default_arguments = {
		211 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		212 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		213 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		214 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		215 |     "--enable-continuous-cloudwatch-log" = "true"
		216 |     "--enable-continuous-log-filter"     = "true"
		217 |     "--enable-metrics"                   = ""
		218 |   }
		219 |   command {
		220 |     python_version  = "3"
		221 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		222 |   }
		223 | 
		224 |   tags = merge(
		225 |     local.tags,
		226 |     {
		227 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		228 |     }
		229 |   )
		230 | 
		231 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:
 191: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T09:32:14Z	INFO	Need to update DB
2024-07-15T09:32:14Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T09:32:16Z	INFO	Vulnerability scanning is enabled
2024-07-15T09:32:16Z	INFO	Misconfiguration scanning is enabled
2024-07-15T09:32:16Z	INFO	Need to update the built-in policies
2024-07-15T09:32:16Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T09:32:16Z	INFO	Secret scanning is enabled
2024-07-15T09:32:16Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T09:32:16Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T09:32:16Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-15T09:32:20Z	INFO	Number of language-specific files	num=1
2024-07-15T09:32:20Z	INFO	[pip] Detecting vulnerabilities...
2024-07-15T09:32:20Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-development July 15, 2024 10:29 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T10:29:49Z INFO Need to update DB
2024-07-15T10:29:49Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T10:29:51Z INFO Vulnerability scanning is enabled
2024-07-15T10:29:51Z INFO Misconfiguration scanning is enabled
2024-07-15T10:29:51Z INFO Need to update the built-in policies
2024-07-15T10:29:51Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T10:29:51Z INFO Secret scanning is enabled
2024-07-15T10:29:51Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T10:29:51Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T10:29:55Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-15T10:29:55Z INFO Number of language-specific files num=1
2024-07-15T10:29:55Z INFO [pip] Detecting vulnerabilities...
2024-07-15T10:29:55Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-15 10:29:57,652 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-15 10:29:57,652 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1525, Failed checks: 98, Skipped checks: 10

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:88-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:147-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:203-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		203 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		204 |   name              = "catalog-dv-table-glue-job"
		205 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		206 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		207 |   glue_version      = "4.0"
		208 |   worker_type       = "G.1X"
		209 |   number_of_workers = 2
		210 |   default_arguments = {
		211 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		212 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		213 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		214 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		215 |     "--enable-continuous-cloudwatch-log" = "true"
		216 |     "--enable-continuous-log-filter"     = "true"
		217 |     "--enable-metrics"                   = ""
		218 |   }
		219 |   command {
		220 |     python_version  = "3"
		221 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		222 |   }
		223 | 
		224 |   tags = merge(
		225 |     local.tags,
		226 |     {
		227 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		228 |     }
		229 |   )
		230 | 
		231 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:
 191: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T10:29:49Z	INFO	Need to update DB
2024-07-15T10:29:49Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T10:29:51Z	INFO	Vulnerability scanning is enabled
2024-07-15T10:29:51Z	INFO	Misconfiguration scanning is enabled
2024-07-15T10:29:51Z	INFO	Need to update the built-in policies
2024-07-15T10:29:51Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T10:29:51Z	INFO	Secret scanning is enabled
2024-07-15T10:29:51Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T10:29:51Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T10:29:55Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-15T10:29:55Z	INFO	Number of language-specific files	num=1
2024-07-15T10:29:55Z	INFO	[pip] Detecting vulnerabilities...
2024-07-15T10:29:55Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-development July 15, 2024 10:51 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T10:52:01Z INFO Need to update DB
2024-07-15T10:52:01Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T10:52:03Z INFO Vulnerability scanning is enabled
2024-07-15T10:52:03Z INFO Misconfiguration scanning is enabled
2024-07-15T10:52:03Z INFO Need to update the built-in policies
2024-07-15T10:52:03Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T10:52:03Z INFO Secret scanning is enabled
2024-07-15T10:52:03Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T10:52:03Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T10:52:03Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-15T10:52:07Z INFO Number of language-specific files num=1
2024-07-15T10:52:07Z INFO [pip] Detecting vulnerabilities...
2024-07-15T10:52:07Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-15 10:52:09,851 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-15 10:52:09,851 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1525, Failed checks: 98, Skipped checks: 10

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:88-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:147-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:203-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		203 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		204 |   name              = "catalog-dv-table-glue-job"
		205 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		206 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		207 |   glue_version      = "4.0"
		208 |   worker_type       = "G.1X"
		209 |   number_of_workers = 2
		210 |   default_arguments = {
		211 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		212 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		213 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		214 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		215 |     "--enable-continuous-cloudwatch-log" = "true"
		216 |     "--enable-continuous-log-filter"     = "true"
		217 |     "--enable-metrics"                   = ""
		218 |   }
		219 |   command {
		220 |     python_version  = "3"
		221 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		222 |   }
		223 | 
		224 |   tags = merge(
		225 |     local.tags,
		226 |     {
		227 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		228 |     }
		229 |   )
		230 | 
		231 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 190:
 190: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T10:52:01Z	INFO	Need to update DB
2024-07-15T10:52:01Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T10:52:03Z	INFO	Vulnerability scanning is enabled
2024-07-15T10:52:03Z	INFO	Misconfiguration scanning is enabled
2024-07-15T10:52:03Z	INFO	Need to update the built-in policies
2024-07-15T10:52:03Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T10:52:03Z	INFO	Secret scanning is enabled
2024-07-15T10:52:03Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T10:52:03Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T10:52:03Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-15T10:52:07Z	INFO	Number of language-specific files	num=1
2024-07-15T10:52:07Z	INFO	[pip] Detecting vulnerabilities...
2024-07-15T10:52:07Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-development July 15, 2024 13:08 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T13:08:55Z INFO Need to update DB
2024-07-15T13:08:55Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T13:08:57Z INFO Vulnerability scanning is enabled
2024-07-15T13:08:57Z INFO Misconfiguration scanning is enabled
2024-07-15T13:08:57Z INFO Need to update the built-in policies
2024-07-15T13:08:57Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T13:08:57Z INFO Secret scanning is enabled
2024-07-15T13:08:57Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T13:08:57Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T13:08:58Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-15T13:09:01Z INFO Number of language-specific files num=1
2024-07-15T13:09:01Z INFO [pip] Detecting vulnerabilities...
2024-07-15T13:09:01Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-15 13:09:03,993 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-15 13:09:03,993 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1525, Failed checks: 98, Skipped checks: 10

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:88-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:147-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:203-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		203 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		204 |   name              = "catalog-dv-table-glue-job"
		205 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		206 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		207 |   glue_version      = "4.0"
		208 |   worker_type       = "G.1X"
		209 |   number_of_workers = 2
		210 |   default_arguments = {
		211 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		212 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		213 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		214 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		215 |     "--enable-continuous-cloudwatch-log" = "true"
		216 |     "--enable-continuous-log-filter"     = "true"
		217 |     "--enable-metrics"                   = ""
		218 |   }
		219 |   command {
		220 |     python_version  = "3"
		221 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		222 |   }
		223 | 
		224 |   tags = merge(
		225 |     local.tags,
		226 |     {
		227 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		228 |     }
		229 |   )
		230 | 
		231 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 190:
 190: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T13:08:55Z	INFO	Need to update DB
2024-07-15T13:08:55Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T13:08:57Z	INFO	Vulnerability scanning is enabled
2024-07-15T13:08:57Z	INFO	Misconfiguration scanning is enabled
2024-07-15T13:08:57Z	INFO	Need to update the built-in policies
2024-07-15T13:08:57Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T13:08:57Z	INFO	Secret scanning is enabled
2024-07-15T13:08:57Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T13:08:57Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T13:08:58Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-15T13:09:01Z	INFO	Number of language-specific files	num=1
2024-07-15T13:09:01Z	INFO	[pip] Detecting vulnerabilities...
2024-07-15T13:09:01Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-development July 15, 2024 13:26 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T13:26:53Z INFO Need to update DB
2024-07-15T13:26:53Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T13:26:55Z INFO Vulnerability scanning is enabled
2024-07-15T13:26:55Z INFO Misconfiguration scanning is enabled
2024-07-15T13:26:55Z INFO Need to update the built-in policies
2024-07-15T13:26:55Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T13:26:55Z INFO Secret scanning is enabled
2024-07-15T13:26:55Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T13:26:55Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T13:26:55Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-15T13:26:58Z INFO Number of language-specific files num=1
2024-07-15T13:26:58Z INFO [pip] Detecting vulnerabilities...
2024-07-15T13:26:58Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-15 13:27:01,090 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-15 13:27:01,090 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1525, Failed checks: 98, Skipped checks: 10

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:88-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:147-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:203-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		203 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		204 |   name              = "catalog-dv-table-glue-job"
		205 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		206 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		207 |   glue_version      = "4.0"
		208 |   worker_type       = "G.1X"
		209 |   number_of_workers = 2
		210 |   default_arguments = {
		211 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		212 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		213 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		214 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		215 |     "--enable-continuous-cloudwatch-log" = "true"
		216 |     "--enable-continuous-log-filter"     = "true"
		217 |     "--enable-metrics"                   = ""
		218 |   }
		219 |   command {
		220 |     python_version  = "3"
		221 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		222 |   }
		223 | 
		224 |   tags = merge(
		225 |     local.tags,
		226 |     {
		227 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		228 |     }
		229 |   )
		230 | 
		231 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:
 191: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T13:26:53Z	INFO	Need to update DB
2024-07-15T13:26:53Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T13:26:55Z	INFO	Vulnerability scanning is enabled
2024-07-15T13:26:55Z	INFO	Misconfiguration scanning is enabled
2024-07-15T13:26:55Z	INFO	Need to update the built-in policies
2024-07-15T13:26:55Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T13:26:55Z	INFO	Secret scanning is enabled
2024-07-15T13:26:55Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T13:26:55Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T13:26:55Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-15T13:26:58Z	INFO	Number of language-specific files	num=1
2024-07-15T13:26:58Z	INFO	[pip] Detecting vulnerabilities...
2024-07-15T13:26:58Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-development July 15, 2024 15:49 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T15:50:32Z INFO Need to update DB
2024-07-15T15:50:32Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T15:50:34Z INFO Vulnerability scanning is enabled
2024-07-15T15:50:34Z INFO Misconfiguration scanning is enabled
2024-07-15T15:50:34Z INFO Need to update the built-in policies
2024-07-15T15:50:34Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T15:50:34Z INFO Secret scanning is enabled
2024-07-15T15:50:34Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T15:50:34Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T15:50:38Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-15T15:50:38Z INFO Number of language-specific files num=1
2024-07-15T15:50:38Z INFO [pip] Detecting vulnerabilities...
2024-07-15T15:50:38Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-15 15:50:40,623 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-15 15:50:40,623 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1525, Failed checks: 98, Skipped checks: 10

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:88-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:147-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:203-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		203 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		204 |   name              = "catalog-dv-table-glue-job"
		205 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		206 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		207 |   glue_version      = "4.0"
		208 |   worker_type       = "G.1X"
		209 |   number_of_workers = 2
		210 |   default_arguments = {
		211 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		212 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		213 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		214 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		215 |     "--enable-continuous-cloudwatch-log" = "true"
		216 |     "--enable-continuous-log-filter"     = "true"
		217 |     "--enable-metrics"                   = ""
		218 |   }
		219 |   command {
		220 |     python_version  = "3"
		221 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		222 |   }
		223 | 
		224 |   tags = merge(
		225 |     local.tags,
		226 |     {
		227 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		228 |     }
		229 |   )
		230 | 
		231 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:
 191: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T15:50:32Z	INFO	Need to update DB
2024-07-15T15:50:32Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T15:50:34Z	INFO	Vulnerability scanning is enabled
2024-07-15T15:50:34Z	INFO	Misconfiguration scanning is enabled
2024-07-15T15:50:34Z	INFO	Need to update the built-in policies
2024-07-15T15:50:34Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T15:50:34Z	INFO	Secret scanning is enabled
2024-07-15T15:50:34Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T15:50:34Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T15:50:38Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-15T15:50:38Z	INFO	Number of language-specific files	num=1
2024-07-15T15:50:38Z	INFO	[pip] Detecting vulnerabilities...
2024-07-15T15:50:38Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-development July 15, 2024 19:27 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T19:28:33Z INFO Need to update DB
2024-07-15T19:28:33Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T19:28:36Z INFO Vulnerability scanning is enabled
2024-07-15T19:28:36Z INFO Misconfiguration scanning is enabled
2024-07-15T19:28:36Z INFO Need to update the built-in policies
2024-07-15T19:28:36Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T19:28:36Z INFO Secret scanning is enabled
2024-07-15T19:28:36Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T19:28:36Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T19:28:41Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-15T19:28:41Z INFO Number of language-specific files num=1
2024-07-15T19:28:41Z INFO [pip] Detecting vulnerabilities...
2024-07-15T19:28:41Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-15 19:28:44,120 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-15 19:28:44,120 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1525, Failed checks: 98, Skipped checks: 10

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:88-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:147-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:203-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		203 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		204 |   name              = "catalog-dv-table-glue-job"
		205 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		206 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		207 |   glue_version      = "4.0"
		208 |   worker_type       = "G.1X"
		209 |   number_of_workers = 2
		210 |   default_arguments = {
		211 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		212 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		213 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		214 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		215 |     "--enable-continuous-cloudwatch-log" = "true"
		216 |     "--enable-continuous-log-filter"     = "true"
		217 |     "--enable-metrics"                   = ""
		218 |   }
		219 |   command {
		220 |     python_version  = "3"
		221 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		222 |   }
		223 | 
		224 |   tags = merge(
		225 |     local.tags,
		226 |     {
		227 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		228 |     }
		229 |   )
		230 | 
		231 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 190:
 190: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-15T19:28:33Z	INFO	Need to update DB
2024-07-15T19:28:33Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T19:28:36Z	INFO	Vulnerability scanning is enabled
2024-07-15T19:28:36Z	INFO	Misconfiguration scanning is enabled
2024-07-15T19:28:36Z	INFO	Need to update the built-in policies
2024-07-15T19:28:36Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T19:28:36Z	INFO	Secret scanning is enabled
2024-07-15T19:28:36Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T19:28:36Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T19:28:41Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-15T19:28:41Z	INFO	Number of language-specific files	num=1
2024-07-15T19:28:41Z	INFO	[pip] Detecting vulnerabilities...
2024-07-15T19:28:41Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 had a problem deploying to electronic-monitoring-data-development July 16, 2024 07:37 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-16T07:38:29Z INFO Need to update DB
2024-07-16T07:38:29Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-16T07:38:31Z INFO Vulnerability scanning is enabled
2024-07-16T07:38:31Z INFO Misconfiguration scanning is enabled
2024-07-16T07:38:31Z INFO Need to update the built-in policies
2024-07-16T07:38:31Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-16T07:38:32Z INFO Secret scanning is enabled
2024-07-16T07:38:32Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-16T07:38:32Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-16T07:38:32Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-16T07:38:35Z INFO Number of language-specific files num=1
2024-07-16T07:38:35Z INFO [pip] Detecting vulnerabilities...
2024-07-16T07:38:35Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-16 07:38:37,890 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-16 07:38:37,890 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1525, Failed checks: 98, Skipped checks: 10

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:77-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		77 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		78 |   name              = "dms-dv-glue-job"
		79 |   retention_in_days = 14
		80 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:82-85
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		82 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		83 |   name              = "dms-dv-glue-job-v2"
		84 |   retention_in_days = 14
		85 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:88-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:148-201
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:204-232
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		204 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		205 |   name              = "catalog-dv-table-glue-job"
		206 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		207 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		208 |   glue_version      = "4.0"
		209 |   worker_type       = "G.1X"
		210 |   number_of_workers = 2
		211 |   default_arguments = {
		212 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		213 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		214 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		215 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		216 |     "--enable-continuous-cloudwatch-log" = "true"
		217 |     "--enable-continuous-log-filter"     = "true"
		218 |     "--enable-metrics"                   = ""
		219 |   }
		220 |   command {
		221 |     python_version  = "3"
		222 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		223 |   }
		224 | 
		225 |   tags = merge(
		226 |     local.tags,
		227 |     {
		228 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		229 |     }
		230 |   )
		231 | 
		232 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:83-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		83 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		84 |   statement {
		85 |     effect = "Allow"
		86 |     actions = [
		87 |       "ec2:CreateNetworkInterface",
		88 |       "ec2:DescribeNetworkInterfaces",
		89 |       "ec2:DeleteNetworkInterface",
		90 |       "ec2:DescribeVpcEndpoints",
		91 |       "ec2:DescribeSubnets",
		92 |       "ec2:DescribeVpcAttribute",
		93 |       "ec2:DescribeRouteTables",
		94 |       "ec2:DescribeSecurityGroups"
		95 |     ]
		96 |     resources = ["*"]
		97 |   }
		98 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:554-599
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		554 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		555 |   statement {
		556 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		557 |     effect = "Allow"
		558 |     actions = [
		559 |       "s3:GetObject",
		560 |       "s3:PutObject",
		561 |       "s3:ListBucket",
		562 |       "s3:GetBucketLocation"
		563 |     ]
		564 |     resources = [
		565 |       "${aws_s3_bucket.data_store.arn}/*",
		566 |       aws_s3_bucket.data_store.arn,
		567 |       "${module.athena-s3-bucket.bucket.arn}/*",
		568 |       module.athena-s3-bucket.bucket.arn,
		569 |       module.metadata-s3-bucket.bucket.arn,
		570 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		571 |     ]
		572 |   }
		573 |   statement {
		574 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		575 |     effect = "Allow"
		576 |     actions = [
		577 |       "athena:StartQueryExecution",
		578 |       "athena:GetQueryExecution",
		579 |       "athena:GetQueryResults",
		580 |       "athena:StopQueryExecution"
		581 |     ]
		582 |     resources = ["*"]
		583 |   }
		584 |   statement {
		585 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		586 |     effect = "Allow"
		587 |     actions = [
		588 |       "glue:GetTable",
		589 |       "glue:GetDatabase",
		590 |       "glue:GetDatabases",
		591 |       "glue:CreateTable",
		592 |       "glue:DeleteTable",
		593 |       "glue:CreateDatabase",
		594 |       "glue:DeleteDatabase",
		595 |       "glue:UpdateTable"
		596 |     ]
		597 |     resources = ["*"]
		598 |   }
		599 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:
 191: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-16T07:38:29Z	INFO	Need to update DB
2024-07-16T07:38:29Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-16T07:38:31Z	INFO	Vulnerability scanning is enabled
2024-07-16T07:38:31Z	INFO	Misconfiguration scanning is enabled
2024-07-16T07:38:31Z	INFO	Need to update the built-in policies
2024-07-16T07:38:31Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-16T07:38:32Z	INFO	Secret scanning is enabled
2024-07-16T07:38:32Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-16T07:38:32Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-16T07:38:32Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-16T07:38:35Z	INFO	Number of language-specific files	num=1
2024-07-16T07:38:35Z	INFO	[pip] Detecting vulnerabilities...
2024-07-16T07:38:35Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 26 (SUCCESSES: 24, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 merged commit 4b14b89 into main Jul 16, 2024
8 of 11 checks passed
@madhu-k-sr2 madhu-k-sr2 deleted the DV_GlueJobV4c_Cache_RDS_DF branch July 16, 2024 08:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luke-a-williams luke-a-williams luke-a-williams approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@madhu-k-sr2 @luke-a-williams