Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodeLogicImprovements #7143

Merged
merged 16 commits into from
Jul 19, 2024
Merged

CodeLogicImprovements #7143

merged 16 commits into from
Jul 19, 2024

Conversation

madhu-k-sr2
Copy link
Contributor

No description provided.

@madhu-k-sr2 madhu-k-sr2 requested review from a team as code owners July 19, 2024 07:51
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jul 19, 2024
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development July 19, 2024 07:53 — with GitHub Actions Inactive
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T07:53:47Z INFO Need to update DB
2024-07-19T07:53:47Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T07:53:49Z INFO Vulnerability scanning is enabled
2024-07-19T07:53:49Z INFO Misconfiguration scanning is enabled
2024-07-19T07:53:49Z INFO Need to update the built-in policies
2024-07-19T07:53:49Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T07:53:50Z INFO Secret scanning is enabled
2024-07-19T07:53:50Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T07:53:50Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T07:53:57Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T07:53:57Z INFO Number of language-specific files num=1
2024-07-19T07:53:57Z INFO [pip] Detecting vulnerabilities...
2024-07-19T07:53:57Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-19 07:53:59,424 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-19 07:53:59,424 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1565, Failed checks: 106, Skipped checks: 10

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:100-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:161-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:217-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:281-309
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		281 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		282 |   name              = "catalog-dv-table-glue-job"
		283 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		284 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		285 |   glue_version      = "4.0"
		286 |   worker_type       = "G.1X"
		287 |   number_of_workers = 2
		288 |   default_arguments = {
		289 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		290 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		291 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		292 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		293 |     "--enable-continuous-cloudwatch-log" = "true"
		294 |     "--enable-continuous-log-filter"     = "true"
		295 |     "--enable-metrics"                   = ""
		296 |   }
		297 |   command {
		298 |     python_version  = "3"
		299 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		300 |   }
		301 | 
		302 |   tags = merge(
		303 |     local.tags,
		304 |     {
		305 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		306 |     }
		307 |   )
		308 | 
		309 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:567-612
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		567 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		568 |   statement {
		569 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		570 |     effect = "Allow"
		571 |     actions = [
		572 |       "s3:GetObject",
		573 |       "s3:PutObject",
		574 |       "s3:ListBucket",
		575 |       "s3:GetBucketLocation"
		576 |     ]
		577 |     resources = [
		578 |       "${aws_s3_bucket.data_store.arn}/*",
		579 |       aws_s3_bucket.data_store.arn,
		580 |       "${module.athena-s3-bucket.bucket.arn}/*",
		581 |       module.athena-s3-bucket.bucket.arn,
		582 |       module.metadata-s3-bucket.bucket.arn,
		583 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		584 |     ]
		585 |   }
		586 |   statement {
		587 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		588 |     effect = "Allow"
		589 |     actions = [
		590 |       "athena:StartQueryExecution",
		591 |       "athena:GetQueryExecution",
		592 |       "athena:GetQueryResults",
		593 |       "athena:StopQueryExecution"
		594 |     ]
		595 |     resources = ["*"]
		596 |   }
		597 |   statement {
		598 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		599 |     effect = "Allow"
		600 |     actions = [
		601 |       "glue:GetTable",
		602 |       "glue:GetDatabase",
		603 |       "glue:GetDatabases",
		604 |       "glue:CreateTable",
		605 |       "glue:DeleteTable",
		606 |       "glue:CreateDatabase",
		607 |       "glue:DeleteDatabase",
		608 |       "glue:UpdateTable"
		609 |     ]
		610 |     resources = ["*"]
		611 |   }
		612 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:567-612
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		567 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		568 |   statement {
		569 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		570 |     effect = "Allow"
		571 |     actions = [
		572 |       "s3:GetObject",
		573 |       "s3:PutObject",
		574 |       "s3:ListBucket",
		575 |       "s3:GetBucketLocation"
		576 |     ]
		577 |     resources = [
		578 |       "${aws_s3_bucket.data_store.arn}/*",
		579 |       aws_s3_bucket.data_store.arn,
		580 |       "${module.athena-s3-bucket.bucket.arn}/*",
		581 |       module.athena-s3-bucket.bucket.arn,
		582 |       module.metadata-s3-bucket.bucket.arn,
		583 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		584 |     ]
		585 |   }
		586 |   statement {
		587 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		588 |     effect = "Allow"
		589 |     actions = [
		590 |       "athena:StartQueryExecution",
		591 |       "athena:GetQueryExecution",
		592 |       "athena:GetQueryResults",
		593 |       "athena:StopQueryExecution"
		594 |     ]
		595 |     resources = ["*"]
		596 |   }
		597 |   statement {
		598 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		599 |     effect = "Allow"
		600 |     actions = [
		601 |       "glue:GetTable",
		602 |       "glue:GetDatabase",
		603 |       "glue:GetDatabases",
		604 |       "glue:CreateTable",
		605 |       "glue:DeleteTable",
		606 |       "glue:CreateDatabase",
		607 |       "glue:DeleteDatabase",
		608 |       "glue:UpdateTable"
		609 |     ]
		610 |     resources = ["*"]
		611 |   }
		612 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:
 191: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T07:53:47Z	INFO	Need to update DB
2024-07-19T07:53:47Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T07:53:49Z	INFO	Vulnerability scanning is enabled
2024-07-19T07:53:49Z	INFO	Misconfiguration scanning is enabled
2024-07-19T07:53:49Z	INFO	Need to update the built-in policies
2024-07-19T07:53:49Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T07:53:50Z	INFO	Secret scanning is enabled
2024-07-19T07:53:50Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T07:53:50Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T07:53:57Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-19T07:53:57Z	INFO	Number of language-specific files	num=1
2024-07-19T07:53:57Z	INFO	[pip] Detecting vulnerabilities...
2024-07-19T07:53:57Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development July 19, 2024 08:09 — with GitHub Actions Inactive
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T08:09:36Z INFO Need to update DB
2024-07-19T08:09:36Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T08:09:38Z INFO Vulnerability scanning is enabled
2024-07-19T08:09:38Z INFO Misconfiguration scanning is enabled
2024-07-19T08:09:38Z INFO Need to update the built-in policies
2024-07-19T08:09:38Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T08:09:38Z INFO Secret scanning is enabled
2024-07-19T08:09:38Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T08:09:38Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T08:09:41Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T08:09:42Z INFO Number of language-specific files num=1
2024-07-19T08:09:42Z INFO [pip] Detecting vulnerabilities...
2024-07-19T08:09:42Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-19 08:09:44,611 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-19 08:09:44,611 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1565, Failed checks: 106, Skipped checks: 10

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:100-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:161-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:217-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:282-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		282 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		283 |   name              = "catalog-dv-table-glue-job"
		284 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		285 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		286 |   glue_version      = "4.0"
		287 |   worker_type       = "G.1X"
		288 |   number_of_workers = 2
		289 |   default_arguments = {
		290 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		291 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		292 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		293 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		294 |     "--enable-continuous-cloudwatch-log" = "true"
		295 |     "--enable-continuous-log-filter"     = "true"
		296 |     "--enable-metrics"                   = ""
		297 |   }
		298 |   command {
		299 |     python_version  = "3"
		300 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		301 |   }
		302 | 
		303 |   tags = merge(
		304 |     local.tags,
		305 |     {
		306 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		307 |     }
		308 |   )
		309 | 
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:567-612
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		567 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		568 |   statement {
		569 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		570 |     effect = "Allow"
		571 |     actions = [
		572 |       "s3:GetObject",
		573 |       "s3:PutObject",
		574 |       "s3:ListBucket",
		575 |       "s3:GetBucketLocation"
		576 |     ]
		577 |     resources = [
		578 |       "${aws_s3_bucket.data_store.arn}/*",
		579 |       aws_s3_bucket.data_store.arn,
		580 |       "${module.athena-s3-bucket.bucket.arn}/*",
		581 |       module.athena-s3-bucket.bucket.arn,
		582 |       module.metadata-s3-bucket.bucket.arn,
		583 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		584 |     ]
		585 |   }
		586 |   statement {
		587 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		588 |     effect = "Allow"
		589 |     actions = [
		590 |       "athena:StartQueryExecution",
		591 |       "athena:GetQueryExecution",
		592 |       "athena:GetQueryResults",
		593 |       "athena:StopQueryExecution"
		594 |     ]
		595 |     resources = ["*"]
		596 |   }
		597 |   statement {
		598 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		599 |     effect = "Allow"
		600 |     actions = [
		601 |       "glue:GetTable",
		602 |       "glue:GetDatabase",
		603 |       "glue:GetDatabases",
		604 |       "glue:CreateTable",
		605 |       "glue:DeleteTable",
		606 |       "glue:CreateDatabase",
		607 |       "glue:DeleteDatabase",
		608 |       "glue:UpdateTable"
		609 |     ]
		610 |     resources = ["*"]
		611 |   }
		612 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:567-612
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		567 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		568 |   statement {
		569 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		570 |     effect = "Allow"
		571 |     actions = [
		572 |       "s3:GetObject",
		573 |       "s3:PutObject",
		574 |       "s3:ListBucket",
		575 |       "s3:GetBucketLocation"
		576 |     ]
		577 |     resources = [
		578 |       "${aws_s3_bucket.data_store.arn}/*",
		579 |       aws_s3_bucket.data_store.arn,
		580 |       "${module.athena-s3-bucket.bucket.arn}/*",
		581 |       module.athena-s3-bucket.bucket.arn,
		582 |       module.metadata-s3-bucket.bucket.arn,
		583 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		584 |     ]
		585 |   }
		586 |   statement {
		587 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		588 |     effect = "Allow"
		589 |     actions = [
		590 |       "athena:StartQueryExecution",
		591 |       "athena:GetQueryExecution",
		592 |       "athena:GetQueryResults",
		593 |       "athena:StopQueryExecution"
		594 |     ]
		595 |     resources = ["*"]
		596 |   }
		597 |   statement {
		598 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		599 |     effect = "Allow"
		600 |     actions = [
		601 |       "glue:GetTable",
		602 |       "glue:GetDatabase",
		603 |       "glue:GetDatabases",
		604 |       "glue:CreateTable",
		605 |       "glue:DeleteTable",
		606 |       "glue:CreateDatabase",
		607 |       "glue:DeleteDatabase",
		608 |       "glue:UpdateTable"
		609 |     ]
		610 |     resources = ["*"]
		611 |   }
		612 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 190:
 190: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T08:09:36Z	INFO	Need to update DB
2024-07-19T08:09:36Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T08:09:38Z	INFO	Vulnerability scanning is enabled
2024-07-19T08:09:38Z	INFO	Misconfiguration scanning is enabled
2024-07-19T08:09:38Z	INFO	Need to update the built-in policies
2024-07-19T08:09:38Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T08:09:38Z	INFO	Secret scanning is enabled
2024-07-19T08:09:38Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T08:09:38Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T08:09:41Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-19T08:09:42Z	INFO	Number of language-specific files	num=1
2024-07-19T08:09:42Z	INFO	[pip] Detecting vulnerabilities...
2024-07-19T08:09:42Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 50 (SUCCESSES: 20, FAILURES: 0, EXCEPTIONS: 30)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development July 19, 2024 11:53 — with GitHub Actions Inactive
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T11:53:43Z INFO Need to update DB
2024-07-19T11:53:43Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T11:53:45Z INFO Vulnerability scanning is enabled
2024-07-19T11:53:45Z INFO Misconfiguration scanning is enabled
2024-07-19T11:53:45Z INFO Need to update the built-in policies
2024-07-19T11:53:45Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T11:53:45Z INFO Secret scanning is enabled
2024-07-19T11:53:45Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T11:53:45Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T11:53:45Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T11:53:49Z INFO Number of language-specific files num=1
2024-07-19T11:53:49Z INFO [pip] Detecting vulnerabilities...
2024-07-19T11:53:49Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-19 11:53:51,575 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-19 11:53:51,575 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1643, Failed checks: 108, Skipped checks: 11

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:100-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:161-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:217-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:282-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		282 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		283 |   name              = "catalog-dv-table-glue-job"
		284 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		285 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		286 |   glue_version      = "4.0"
		287 |   worker_type       = "G.1X"
		288 |   number_of_workers = 2
		289 |   default_arguments = {
		290 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		291 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		292 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		293 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		294 |     "--enable-continuous-cloudwatch-log" = "true"
		295 |     "--enable-continuous-log-filter"     = "true"
		296 |     "--enable-metrics"                   = ""
		297 |   }
		298 |   command {
		299 |     python_version  = "3"
		300 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		301 |   }
		302 | 
		303 |   tags = merge(
		304 |     local.tags,
		305 |     {
		306 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		307 |     }
		308 |   )
		309 | 
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 190:
 190: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T11:53:43Z	INFO	Need to update DB
2024-07-19T11:53:43Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T11:53:45Z	INFO	Vulnerability scanning is enabled
2024-07-19T11:53:45Z	INFO	Misconfiguration scanning is enabled
2024-07-19T11:53:45Z	INFO	Need to update the built-in policies
2024-07-19T11:53:45Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T11:53:45Z	INFO	Secret scanning is enabled
2024-07-19T11:53:45Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T11:53:45Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T11:53:45Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-19T11:53:49Z	INFO	Number of language-specific files	num=1
2024-07-19T11:53:49Z	INFO	[pip] Detecting vulnerabilities...
2024-07-19T11:53:49Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development July 19, 2024 12:24 — with GitHub Actions Inactive
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T12:24:56Z INFO Need to update DB
2024-07-19T12:24:56Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T12:24:57Z INFO Vulnerability scanning is enabled
2024-07-19T12:24:57Z INFO Misconfiguration scanning is enabled
2024-07-19T12:24:57Z INFO Need to update the built-in policies
2024-07-19T12:24:57Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T12:24:58Z INFO Secret scanning is enabled
2024-07-19T12:24:58Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T12:24:58Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T12:24:58Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T12:25:01Z INFO Number of language-specific files num=1
2024-07-19T12:25:01Z INFO [pip] Detecting vulnerabilities...
2024-07-19T12:25:01Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-19 12:25:03,731 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-19 12:25:03,731 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1643, Failed checks: 108, Skipped checks: 11

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:100-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:161-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:217-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:282-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		282 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		283 |   name              = "catalog-dv-table-glue-job"
		284 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		285 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		286 |   glue_version      = "4.0"
		287 |   worker_type       = "G.1X"
		288 |   number_of_workers = 2
		289 |   default_arguments = {
		290 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		291 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		292 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		293 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		294 |     "--enable-continuous-cloudwatch-log" = "true"
		295 |     "--enable-continuous-log-filter"     = "true"
		296 |     "--enable-metrics"                   = ""
		297 |   }
		298 |   command {
		299 |     python_version  = "3"
		300 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		301 |   }
		302 | 
		303 |   tags = merge(
		304 |     local.tags,
		305 |     {
		306 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		307 |     }
		308 |   )
		309 | 
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:
 191: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T12:24:56Z	INFO	Need to update DB
2024-07-19T12:24:56Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T12:24:57Z	INFO	Vulnerability scanning is enabled
2024-07-19T12:24:57Z	INFO	Misconfiguration scanning is enabled
2024-07-19T12:24:57Z	INFO	Need to update the built-in policies
2024-07-19T12:24:57Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T12:24:58Z	INFO	Secret scanning is enabled
2024-07-19T12:24:58Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T12:24:58Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T12:24:58Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-19T12:25:01Z	INFO	Number of language-specific files	num=1
2024-07-19T12:25:01Z	INFO	[pip] Detecting vulnerabilities...
2024-07-19T12:25:01Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development July 19, 2024 12:55 — with GitHub Actions Inactive
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development July 19, 2024 14:04 — with GitHub Actions Inactive
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T14:05:32Z INFO Need to update DB
2024-07-19T14:05:32Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T14:05:34Z INFO Vulnerability scanning is enabled
2024-07-19T14:05:34Z INFO Misconfiguration scanning is enabled
2024-07-19T14:05:34Z INFO Need to update the built-in policies
2024-07-19T14:05:34Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T14:05:35Z INFO Secret scanning is enabled
2024-07-19T14:05:35Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T14:05:35Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T14:05:35Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T14:05:39Z INFO Number of language-specific files num=1
2024-07-19T14:05:39Z INFO [pip] Detecting vulnerabilities...
2024-07-19T14:05:39Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-19 14:05:42,031 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-19 14:05:42,031 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1643, Failed checks: 108, Skipped checks: 11

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:100-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:161-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:217-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:282-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		282 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		283 |   name              = "catalog-dv-table-glue-job"
		284 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		285 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		286 |   glue_version      = "4.0"
		287 |   worker_type       = "G.1X"
		288 |   number_of_workers = 2
		289 |   default_arguments = {
		290 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		291 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		292 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		293 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		294 |     "--enable-continuous-cloudwatch-log" = "true"
		295 |     "--enable-continuous-log-filter"     = "true"
		296 |     "--enable-metrics"                   = ""
		297 |   }
		298 |   command {
		299 |     python_version  = "3"
		300 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		301 |   }
		302 | 
		303 |   tags = merge(
		304 |     local.tags,
		305 |     {
		306 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		307 |     }
		308 |   )
		309 | 
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:
 191: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T14:05:32Z	INFO	Need to update DB
2024-07-19T14:05:32Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T14:05:34Z	INFO	Vulnerability scanning is enabled
2024-07-19T14:05:34Z	INFO	Misconfiguration scanning is enabled
2024-07-19T14:05:34Z	INFO	Need to update the built-in policies
2024-07-19T14:05:34Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T14:05:35Z	INFO	Secret scanning is enabled
2024-07-19T14:05:35Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T14:05:35Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T14:05:35Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-19T14:05:39Z	INFO	Number of language-specific files	num=1
2024-07-19T14:05:39Z	INFO	[pip] Detecting vulnerabilities...
2024-07-19T14:05:39Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:08:35Z INFO Need to update DB
2024-07-19T15:08:35Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T15:08:37Z INFO Vulnerability scanning is enabled
2024-07-19T15:08:37Z INFO Misconfiguration scanning is enabled
2024-07-19T15:08:37Z INFO Need to update the built-in policies
2024-07-19T15:08:37Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T15:08:38Z INFO Secret scanning is enabled
2024-07-19T15:08:38Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:08:38Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T15:08:38Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T15:08:41Z INFO Number of language-specific files num=1
2024-07-19T15:08:41Z INFO [pip] Detecting vulnerabilities...
2024-07-19T15:08:41Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-19 15:08:44,059 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-19 15:08:44,060 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1643, Failed checks: 108, Skipped checks: 11

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:100-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:161-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:217-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:282-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		282 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		283 |   name              = "catalog-dv-table-glue-job"
		284 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		285 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		286 |   glue_version      = "4.0"
		287 |   worker_type       = "G.1X"
		288 |   number_of_workers = 2
		289 |   default_arguments = {
		290 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		291 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		292 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		293 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		294 |     "--enable-continuous-cloudwatch-log" = "true"
		295 |     "--enable-continuous-log-filter"     = "true"
		296 |     "--enable-metrics"                   = ""
		297 |   }
		298 |   command {
		299 |     python_version  = "3"
		300 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		301 |   }
		302 | 
		303 |   tags = merge(
		304 |     local.tags,
		305 |     {
		306 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		307 |     }
		308 |   )
		309 | 
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 190:
 190: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:08:35Z	INFO	Need to update DB
2024-07-19T15:08:35Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T15:08:37Z	INFO	Vulnerability scanning is enabled
2024-07-19T15:08:37Z	INFO	Misconfiguration scanning is enabled
2024-07-19T15:08:37Z	INFO	Need to update the built-in policies
2024-07-19T15:08:37Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T15:08:38Z	INFO	Secret scanning is enabled
2024-07-19T15:08:38Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:08:38Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T15:08:38Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-19T15:08:41Z	INFO	Number of language-specific files	num=1
2024-07-19T15:08:41Z	INFO	[pip] Detecting vulnerabilities...
2024-07-19T15:08:41Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development July 19, 2024 15:15 — with GitHub Actions Inactive
@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development July 19, 2024 15:45 — with GitHub Actions Inactive
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:46:37Z INFO Need to update DB
2024-07-19T15:46:37Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T15:46:39Z INFO Vulnerability scanning is enabled
2024-07-19T15:46:39Z INFO Misconfiguration scanning is enabled
2024-07-19T15:46:39Z INFO Need to update the built-in policies
2024-07-19T15:46:39Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T15:46:40Z INFO Secret scanning is enabled
2024-07-19T15:46:40Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:46:40Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T15:46:40Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T15:46:45Z INFO Number of language-specific files num=1
2024-07-19T15:46:45Z INFO [pip] Detecting vulnerabilities...
2024-07-19T15:46:45Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-19 15:46:47,943 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-19 15:46:47,943 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1643, Failed checks: 108, Skipped checks: 11

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:100-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:161-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:217-280
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:283-311
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		283 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		284 |   name              = "catalog-dv-table-glue-job"
		285 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		286 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		287 |   glue_version      = "4.0"
		288 |   worker_type       = "G.1X"
		289 |   number_of_workers = 2
		290 |   default_arguments = {
		291 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		292 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		293 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		294 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		295 |     "--enable-continuous-cloudwatch-log" = "true"
		296 |     "--enable-continuous-log-filter"     = "true"
		297 |     "--enable-metrics"                   = ""
		298 |   }
		299 |   command {
		300 |     python_version  = "3"
		301 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		302 |   }
		303 | 
		304 |   tags = merge(
		305 |     local.tags,
		306 |     {
		307 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		308 |     }
		309 |   )
		310 | 
		311 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 190:
 190: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:46:37Z	INFO	Need to update DB
2024-07-19T15:46:37Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T15:46:39Z	INFO	Vulnerability scanning is enabled
2024-07-19T15:46:39Z	INFO	Misconfiguration scanning is enabled
2024-07-19T15:46:39Z	INFO	Need to update the built-in policies
2024-07-19T15:46:39Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T15:46:40Z	INFO	Secret scanning is enabled
2024-07-19T15:46:40Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:46:40Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T15:46:40Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-19T15:46:45Z	INFO	Number of language-specific files	num=1
2024-07-19T15:46:45Z	INFO	[pip] Detecting vulnerabilities...
2024-07-19T15:46:45Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@madhu-k-sr2 madhu-k-sr2 temporarily deployed to electronic-monitoring-data-development July 19, 2024 15:55 — with GitHub Actions Inactive
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data


Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:56:20Z INFO Need to update DB
2024-07-19T15:56:20Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T15:56:22Z INFO Vulnerability scanning is enabled
2024-07-19T15:56:22Z INFO Misconfiguration scanning is enabled
2024-07-19T15:56:22Z INFO Need to update the built-in policies
2024-07-19T15:56:22Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T15:56:22Z INFO Secret scanning is enabled
2024-07-19T15:56:22Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:56:22Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T15:56:25Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T15:56:25Z INFO Number of language-specific files num=1
2024-07-19T15:56:25Z INFO [pip] Detecting vulnerabilities...
2024-07-19T15:56:25Z INFO Detected config files num=24

bastion_linux.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

glue_data.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_iam.tf (terraform)

Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/lambdas/main.tf (terraform)

Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/landing_zone_user/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/landing_zone/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

modules/s3_log_bucket/main.tf (terraform)

Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

server_backups.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

step_functions_iam.tf (terraform)

Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-19 15:56:28,142 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-07-19 15:56:28,143 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1643, Failed checks: 108, Skipped checks: 11

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		85 |   name              = "dms-dv-glue-job"
		86 |   retention_in_days = 14
		87 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:89-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		89 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		90 |   name              = "dms-dv-glue-job-v2"
		91 |   retention_in_days = 14
		92 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:94-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		95 |   name              = "rds-to-s3-parquet-migration"
		96 |   retention_in_days = 14
		97 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:100-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:161-214
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:217-280
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:283-311
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		283 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		284 |   name              = "catalog-dv-table-glue-job"
		285 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		286 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		287 |   glue_version      = "4.0"
		288 |   worker_type       = "G.1X"
		289 |   number_of_workers = 2
		290 |   default_arguments = {
		291 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		292 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		293 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		294 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		295 |     "--enable-continuous-cloudwatch-log" = "true"
		296 |     "--enable-continuous-log-filter"     = "true"
		297 |     "--enable-metrics"                   = ""
		298 |   }
		299 |   command {
		300 |     python_version  = "3"
		301 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		302 |   }
		303 | 
		304 |   tags = merge(
		305 |     local.tags,
		306 |     {
		307 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		308 |     }
		309 |   )
		310 | 
		311 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:493-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_into_athena_s3_policy_document
	File: /lambdas_iam.tf:656-701
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		656 | data "aws_iam_policy_document" "load_json_into_athena_s3_policy_document" {
		657 |   statement {
		658 |     sid    = "S3PermissionsForLoadingJsonIntoAthena"
		659 |     effect = "Allow"
		660 |     actions = [
		661 |       "s3:GetObject",
		662 |       "s3:PutObject",
		663 |       "s3:ListBucket",
		664 |       "s3:GetBucketLocation"
		665 |     ]
		666 |     resources = [
		667 |       "${aws_s3_bucket.data_store.arn}/*",
		668 |       aws_s3_bucket.data_store.arn,
		669 |       "${module.athena-s3-bucket.bucket.arn}/*",
		670 |       module.athena-s3-bucket.bucket.arn,
		671 |       module.metadata-s3-bucket.bucket.arn,
		672 |       "${module.metadata-s3-bucket.bucket.arn}/*",
		673 |     ]
		674 |   }
		675 |   statement {
		676 |     sid    = "AthenaPermissionsForLoadingJsonIntoAthena"
		677 |     effect = "Allow"
		678 |     actions = [
		679 |       "athena:StartQueryExecution",
		680 |       "athena:GetQueryExecution",
		681 |       "athena:GetQueryResults",
		682 |       "athena:StopQueryExecution"
		683 |     ]
		684 |     resources = ["*"]
		685 |   }
		686 |   statement {
		687 |     sid    = "GluePermissionsForLoadingJsonIntoAthena"
		688 |     effect = "Allow"
		689 |     actions = [
		690 |       "glue:GetTable",
		691 |       "glue:GetDatabase",
		692 |       "glue:GetDatabases",
		693 |       "glue:CreateTable",
		694 |       "glue:DeleteTable",
		695 |       "glue:CreateDatabase",
		696 |       "glue:DeleteDatabase",
		697 |       "glue:UpdateTable"
		698 |     ]
		699 |     resources = ["*"]
		700 |   }
		701 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:
 191: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:56:20Z	INFO	Need to update DB
2024-07-19T15:56:20Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T15:56:22Z	INFO	Vulnerability scanning is enabled
2024-07-19T15:56:22Z	INFO	Misconfiguration scanning is enabled
2024-07-19T15:56:22Z	INFO	Need to update the built-in policies
2024-07-19T15:56:22Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T15:56:22Z	INFO	Secret scanning is enabled
2024-07-19T15:56:22Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:56:22Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T15:56:25Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-19T15:56:25Z	INFO	Number of language-specific files	num=1
2024-07-19T15:56:25Z	INFO	[pip] Detecting vulnerabilities...
2024-07-19T15:56:25Z	INFO	Detected config files	num=24

bastion_linux.tf (terraform)
============================
Tests: 3 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24bucket = aws_s3_bucket.data_store.id
  2526rule {
  27apply_server_side_encryption_by_default {
  28sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223rule {
  24apply_server_side_encryption_by_default {
  25sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 32 (SUCCESSES: 10, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


glue_data.tf (terraform)
========================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_iam.tf (terraform)
==========================
Tests: 16 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 16)
Failures: 0 (HIGH: 0, CRITICAL: 0)


lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/lambdas/main.tf (terraform)
===================================
Tests: 55 (SUCCESSES: 22, FAILURES: 0, EXCEPTIONS: 33)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/landing_zone/main.tf (terraform)
========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 32 (SUCCESSES: 30, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via s3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



server_backups.tf (terraform)
=============================
Tests: 7 (SUCCESSES: 6, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


step_functions_iam.tf (terraform)
=================================
Tests: 11 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

Copy link
Contributor

@matt-heery matt-heery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@madhu-k-sr2 madhu-k-sr2 merged commit 0523539 into main Jul 19, 2024
11 of 12 checks passed
@madhu-k-sr2 madhu-k-sr2 deleted the Migration_GlueJob_Corrections-4 branch July 19, 2024 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants