You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T07:53:47Z INFO Need to update DB
2024-07-19T07:53:47Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T07:53:49Z INFO Vulnerability scanning is enabled
2024-07-19T07:53:49Z INFO Misconfiguration scanning is enabled
2024-07-19T07:53:49Z INFO Need to update the built-in policies
2024-07-19T07:53:49Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T07:53:50Z INFO Secret scanning is enabled
2024-07-19T07:53:50Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T07:53:50Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T07:53:57Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T07:53:57Z INFO Number of language-specific files num=1
2024-07-19T07:53:57Z INFO [pip] Detecting vulnerabilities...
2024-07-19T07:53:57Z INFO Detected config files num=24
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14issue(s) found:
Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)
on terraform/environments/electronic-monitoring-data/data_store.tf line 118:118:variable"checksum_algorithm" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:62:"${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:63:"${module.athena-s3-bucket.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:64:"${module.dms-premigrate-assess-store.bucket.arn}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:191:data"archive_file""query_output_to_list" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:13:resource"random_password""random_password" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:11:"Resource":"${module.get_metadata_from_rds_lambda.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:24:"Resource":"${module.create_athena_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:98:"WorkGroup":"${aws_athena_workgroup.default.name}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:114:"Resource":"${module.query_output_to_list.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:127:"Resource":"${module.get_file_keys_for_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:141:"Resource":"${module.send_table_to_ap.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:152:"Resource":"${module.update_log_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:164:"WorkGroup":"${aws_athena_workgroup.default.name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T07:53:47Z INFO Need to update DB
2024-07-19T07:53:47Z INFO Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-07-19T07:53:49Z INFO Vulnerability scanning is enabled
2024-07-19T07:53:49Z INFO Misconfiguration scanning is enabled
2024-07-19T07:53:49Z INFO Need to update the built-in policies
2024-07-19T07:53:49Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-07-19T07:53:50Z INFO Secret scanning is enabled
2024-07-19T07:53:50Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T07:53:50Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection2024-07-19T07:53:57Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped.err="site-packages directory not found"2024-07-19T07:53:57Z INFO Number of language-specific files num=12024-07-19T07:53:57Z INFO [pip] Detecting vulnerabilities...2024-07-19T07:53:57Z INFO Detected config files num=24
bastion_linux.tf (terraform)
============================
Tests:3 (SUCCESSES:1, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
data_store.tf (terraform)
=========================
Tests:11 (SUCCESSES:8, FAILURES:1, EXCEPTIONS:2)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""data_store" {
24 │ bucket=aws_s3_bucket.data_store.id25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm="AES256"29 │ }
30 │ }
31 └ }
────────────────────────────────────────
dms_data_validation_glue_job.tf (terraform)
===========================================
Tests:13 (SUCCESSES:8, FAILURES:5, EXCEPTIONS:0)
Failures:5 (HIGH:5, CRITICAL:0)
HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_dv_parquet_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_dv_parquet_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_s3_target_ep.tf (terraform)
===============================
Tests:7 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_target_ep_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_target_ep_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_security_groups.tf (terraform)
==================================
Tests:6 (SUCCESSES:4, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:0, CRITICAL:2)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource"aws_vpc_security_group_egress_rule""dms_all_tcp_outbound" {
15security_group_id=aws_security_group.dms_ri_security_group.id1617 [ cidr_ipv4 = "0.0.0.0/0"18ip_protocol = "tcp"19from_port = 020to_port = 6553521description = "DMS Terraform"22 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62viadms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59resource"aws_vpc_security_group_egress_rule""glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
6162 [ cidr_ipv4 ="0.0.0.0/0"63 ip_protocol ="tcp"64 from_port =065 to_port =6553566 description ="Required ports open for Glue-RDS-Connection"67 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================Tests:32 (SUCCESSES:10, FAILURES:0, EXCEPTIONS:22)
Failures:0 (HIGH:0, CRITICAL:0)
glue_data.tf (terraform)
========================Tests:4 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:4)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas/update_log_table/Dockerfile (dockerfile)
================================================Tests:20 (SUCCESSES:19, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH:Specifyatleast1USERcommandinDockerfilewithnon-rootuserasargument
════════════════════════════════════════
Runningcontainerswith 'root' usercanleadtoacontainerescapesituation.Itisabestpracticetoruncontainersasnon-rootusers, whichcanbedonebyaddinga 'USER' statementtotheDockerfile.Seehttps://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
lambdas_iam.tf (terraform)
==========================Tests:13 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:13)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas_security_groups.tf (terraform)
======================================Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12vialambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10resource"aws_vpc_security_group_egress_rule""lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 ="0.0.0.0/0"13 ip_protocol ="tcp"14 from_port =015 to_port =6553516 description ="Lambda outbound access"17 }
────────────────────────────────────────
modules/lambdas/main.tf (terraform)
===================================
Tests:50 (SUCCESSES:20, FAILURES:0, EXCEPTIONS:30)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================Tests:1 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/main.tf (terraform)
========================================Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests:32 (SUCCESSES:30, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28viadata_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28vias3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
server_backups.tf (terraform)
=============================
Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
step_functions_iam.tf (terraform)
=================================
Tests:11 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:11)
Failures:0 (HIGH:0, CRITICAL:0)
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T08:09:36Z INFO Need to update DB
2024-07-19T08:09:36Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T08:09:38Z INFO Vulnerability scanning is enabled
2024-07-19T08:09:38Z INFO Misconfiguration scanning is enabled
2024-07-19T08:09:38Z INFO Need to update the built-in policies
2024-07-19T08:09:38Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T08:09:38Z INFO Secret scanning is enabled
2024-07-19T08:09:38Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T08:09:38Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T08:09:41Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T08:09:42Z INFO Number of language-specific files num=1
2024-07-19T08:09:42Z INFO [pip] Detecting vulnerabilities...
2024-07-19T08:09:42Z INFO Detected config files num=24
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14issue(s) found:
Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)
on terraform/environments/electronic-monitoring-data/data_store.tf line 118:118:variable"checksum_algorithm" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md
Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/data_store.tf line 190:190:data"archive_file""summarise_zip_lambda" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:62:"${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:63:"${module.athena-s3-bucket.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:64:"${module.dms-premigrate-assess-store.bucket.arn}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:13:resource"random_password""random_password" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:11:"Resource":"${module.get_metadata_from_rds_lambda.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:24:"Resource":"${module.create_athena_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:98:"WorkGroup":"${aws_athena_workgroup.default.name}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:114:"Resource":"${module.query_output_to_list.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:127:"Resource":"${module.get_file_keys_for_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:141:"Resource":"${module.send_table_to_ap.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:152:"Resource":"${module.update_log_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:164:"WorkGroup":"${aws_athena_workgroup.default.name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T08:09:36Z INFO Need to update DB
2024-07-19T08:09:36Z INFO Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-07-19T08:09:38Z INFO Vulnerability scanning is enabled
2024-07-19T08:09:38Z INFO Misconfiguration scanning is enabled
2024-07-19T08:09:38Z INFO Need to update the built-in policies
2024-07-19T08:09:38Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-07-19T08:09:38Z INFO Secret scanning is enabled
2024-07-19T08:09:38Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T08:09:38Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection2024-07-19T08:09:41Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped.err="site-packages directory not found"2024-07-19T08:09:42Z INFO Number of language-specific files num=12024-07-19T08:09:42Z INFO [pip] Detecting vulnerabilities...2024-07-19T08:09:42Z INFO Detected config files num=24
bastion_linux.tf (terraform)
============================
Tests:3 (SUCCESSES:1, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
data_store.tf (terraform)
=========================
Tests:11 (SUCCESSES:8, FAILURES:1, EXCEPTIONS:2)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""data_store" {
24 │ bucket=aws_s3_bucket.data_store.id25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm="AES256"29 │ }
30 │ }
31 └ }
────────────────────────────────────────
dms_data_validation_glue_job.tf (terraform)
===========================================
Tests:13 (SUCCESSES:8, FAILURES:5, EXCEPTIONS:0)
Failures:5 (HIGH:5, CRITICAL:0)
HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_dv_parquet_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_dv_parquet_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_s3_target_ep.tf (terraform)
===============================
Tests:7 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_target_ep_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_target_ep_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_security_groups.tf (terraform)
==================================
Tests:6 (SUCCESSES:4, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:0, CRITICAL:2)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource"aws_vpc_security_group_egress_rule""dms_all_tcp_outbound" {
15security_group_id=aws_security_group.dms_ri_security_group.id1617 [ cidr_ipv4 = "0.0.0.0/0"18ip_protocol = "tcp"19from_port = 020to_port = 6553521description = "DMS Terraform"22 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62viadms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59resource"aws_vpc_security_group_egress_rule""glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
6162 [ cidr_ipv4 ="0.0.0.0/0"63 ip_protocol ="tcp"64 from_port =065 to_port =6553566 description ="Required ports open for Glue-RDS-Connection"67 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================Tests:32 (SUCCESSES:10, FAILURES:0, EXCEPTIONS:22)
Failures:0 (HIGH:0, CRITICAL:0)
glue_data.tf (terraform)
========================Tests:4 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:4)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas/update_log_table/Dockerfile (dockerfile)
================================================Tests:20 (SUCCESSES:19, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH:Specifyatleast1USERcommandinDockerfilewithnon-rootuserasargument
════════════════════════════════════════
Runningcontainerswith 'root' usercanleadtoacontainerescapesituation.Itisabestpracticetoruncontainersasnon-rootusers, whichcanbedonebyaddinga 'USER' statementtotheDockerfile.Seehttps://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
lambdas_iam.tf (terraform)
==========================Tests:13 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:13)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas_security_groups.tf (terraform)
======================================Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12vialambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10resource"aws_vpc_security_group_egress_rule""lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 ="0.0.0.0/0"13 ip_protocol ="tcp"14 from_port =015 to_port =6553516 description ="Lambda outbound access"17 }
────────────────────────────────────────
modules/lambdas/main.tf (terraform)
===================================
Tests:50 (SUCCESSES:20, FAILURES:0, EXCEPTIONS:30)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================Tests:1 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/main.tf (terraform)
========================================Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests:32 (SUCCESSES:30, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28viadata_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28vias3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
server_backups.tf (terraform)
=============================
Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
step_functions_iam.tf (terraform)
=================================
Tests:11 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:11)
Failures:0 (HIGH:0, CRITICAL:0)
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T11:53:43Z INFO Need to update DB
2024-07-19T11:53:43Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T11:53:45Z INFO Vulnerability scanning is enabled
2024-07-19T11:53:45Z INFO Misconfiguration scanning is enabled
2024-07-19T11:53:45Z INFO Need to update the built-in policies
2024-07-19T11:53:45Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T11:53:45Z INFO Secret scanning is enabled
2024-07-19T11:53:45Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T11:53:45Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T11:53:45Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T11:53:49Z INFO Number of language-specific files num=1
2024-07-19T11:53:49Z INFO [pip] Detecting vulnerabilities...
2024-07-19T11:53:49Z INFO Detected config files num=24
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14issue(s) found:
Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)
on terraform/environments/electronic-monitoring-data/data_store.tf line 118:118:variable"checksum_algorithm" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md
Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/data_store.tf line 190:190:data"archive_file""summarise_zip_lambda" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:62:"${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:63:"${module.athena-s3-bucket.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:64:"${module.dms-premigrate-assess-store.bucket.arn}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:13:resource"random_password""random_password" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:11:"Resource":"${module.get_metadata_from_rds_lambda.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:24:"Resource":"${module.create_athena_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:98:"WorkGroup":"${aws_athena_workgroup.default.name}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:114:"Resource":"${module.query_output_to_list.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:127:"Resource":"${module.get_file_keys_for_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:141:"Resource":"${module.send_table_to_ap.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:152:"Resource":"${module.update_log_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:164:"WorkGroup":"${aws_athena_workgroup.default.name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T11:53:43Z INFO Need to update DB
2024-07-19T11:53:43Z INFO Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-07-19T11:53:45Z INFO Vulnerability scanning is enabled
2024-07-19T11:53:45Z INFO Misconfiguration scanning is enabled
2024-07-19T11:53:45Z INFO Need to update the built-in policies
2024-07-19T11:53:45Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-07-19T11:53:45Z INFO Secret scanning is enabled
2024-07-19T11:53:45Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T11:53:45Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection2024-07-19T11:53:45Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped.err="site-packages directory not found"2024-07-19T11:53:49Z INFO Number of language-specific files num=12024-07-19T11:53:49Z INFO [pip] Detecting vulnerabilities...2024-07-19T11:53:49Z INFO Detected config files num=24
bastion_linux.tf (terraform)
============================
Tests:3 (SUCCESSES:1, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
data_store.tf (terraform)
=========================
Tests:11 (SUCCESSES:8, FAILURES:1, EXCEPTIONS:2)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""data_store" {
24 │ bucket=aws_s3_bucket.data_store.id25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm="AES256"29 │ }
30 │ }
31 └ }
────────────────────────────────────────
dms_data_validation_glue_job.tf (terraform)
===========================================
Tests:13 (SUCCESSES:8, FAILURES:5, EXCEPTIONS:0)
Failures:5 (HIGH:5, CRITICAL:0)
HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_dv_parquet_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_dv_parquet_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_s3_target_ep.tf (terraform)
===============================
Tests:7 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_target_ep_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_target_ep_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_security_groups.tf (terraform)
==================================
Tests:6 (SUCCESSES:4, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:0, CRITICAL:2)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource"aws_vpc_security_group_egress_rule""dms_all_tcp_outbound" {
15security_group_id=aws_security_group.dms_ri_security_group.id1617 [ cidr_ipv4 = "0.0.0.0/0"18ip_protocol = "tcp"19from_port = 020to_port = 6553521description = "DMS Terraform"22 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62viadms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59resource"aws_vpc_security_group_egress_rule""glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
6162 [ cidr_ipv4 ="0.0.0.0/0"63 ip_protocol ="tcp"64 from_port =065 to_port =6553566 description ="Required ports open for Glue-RDS-Connection"67 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================Tests:32 (SUCCESSES:10, FAILURES:0, EXCEPTIONS:22)
Failures:0 (HIGH:0, CRITICAL:0)
glue_data.tf (terraform)
========================Tests:4 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:4)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas/update_log_table/Dockerfile (dockerfile)
================================================Tests:20 (SUCCESSES:19, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH:Specifyatleast1USERcommandinDockerfilewithnon-rootuserasargument
════════════════════════════════════════
Runningcontainerswith 'root' usercanleadtoacontainerescapesituation.Itisabestpracticetoruncontainersasnon-rootusers, whichcanbedonebyaddinga 'USER' statementtotheDockerfile.Seehttps://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
lambdas_iam.tf (terraform)
==========================Tests:16 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:16)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas_security_groups.tf (terraform)
======================================Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12vialambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10resource"aws_vpc_security_group_egress_rule""lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 ="0.0.0.0/0"13 ip_protocol ="tcp"14 from_port =015 to_port =6553516 description ="Lambda outbound access"17 }
────────────────────────────────────────
modules/lambdas/main.tf (terraform)
===================================
Tests:55 (SUCCESSES:22, FAILURES:0, EXCEPTIONS:33)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================Tests:1 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/main.tf (terraform)
========================================Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests:32 (SUCCESSES:30, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28viadata_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28vias3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
server_backups.tf (terraform)
=============================
Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
step_functions_iam.tf (terraform)
=================================
Tests:11 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:11)
Failures:0 (HIGH:0, CRITICAL:0)
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T12:24:56Z INFO Need to update DB
2024-07-19T12:24:56Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T12:24:57Z INFO Vulnerability scanning is enabled
2024-07-19T12:24:57Z INFO Misconfiguration scanning is enabled
2024-07-19T12:24:57Z INFO Need to update the built-in policies
2024-07-19T12:24:57Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T12:24:58Z INFO Secret scanning is enabled
2024-07-19T12:24:58Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T12:24:58Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T12:24:58Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T12:25:01Z INFO Number of language-specific files num=1
2024-07-19T12:25:01Z INFO [pip] Detecting vulnerabilities...
2024-07-19T12:25:01Z INFO Detected config files num=24
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14issue(s) found:
Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)
on terraform/environments/electronic-monitoring-data/data_store.tf line 118:118:variable"checksum_algorithm" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:62:"${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:63:"${module.athena-s3-bucket.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:64:"${module.dms-premigrate-assess-store.bucket.arn}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:191:data"archive_file""query_output_to_list" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:13:resource"random_password""random_password" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:11:"Resource":"${module.get_metadata_from_rds_lambda.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:24:"Resource":"${module.create_athena_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:98:"WorkGroup":"${aws_athena_workgroup.default.name}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:114:"Resource":"${module.query_output_to_list.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:127:"Resource":"${module.get_file_keys_for_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:141:"Resource":"${module.send_table_to_ap.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:152:"Resource":"${module.update_log_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:164:"WorkGroup":"${aws_athena_workgroup.default.name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T12:24:56Z INFO Need to update DB
2024-07-19T12:24:56Z INFO Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-07-19T12:24:57Z INFO Vulnerability scanning is enabled
2024-07-19T12:24:57Z INFO Misconfiguration scanning is enabled
2024-07-19T12:24:57Z INFO Need to update the built-in policies
2024-07-19T12:24:57Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-07-19T12:24:58Z INFO Secret scanning is enabled
2024-07-19T12:24:58Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T12:24:58Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection2024-07-19T12:24:58Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped.err="site-packages directory not found"2024-07-19T12:25:01Z INFO Number of language-specific files num=12024-07-19T12:25:01Z INFO [pip] Detecting vulnerabilities...2024-07-19T12:25:01Z INFO Detected config files num=24
bastion_linux.tf (terraform)
============================
Tests:3 (SUCCESSES:1, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
data_store.tf (terraform)
=========================
Tests:11 (SUCCESSES:8, FAILURES:1, EXCEPTIONS:2)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""data_store" {
24 │ bucket=aws_s3_bucket.data_store.id25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm="AES256"29 │ }
30 │ }
31 └ }
────────────────────────────────────────
dms_data_validation_glue_job.tf (terraform)
===========================================
Tests:13 (SUCCESSES:8, FAILURES:5, EXCEPTIONS:0)
Failures:5 (HIGH:5, CRITICAL:0)
HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_dv_parquet_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_dv_parquet_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_s3_target_ep.tf (terraform)
===============================
Tests:7 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_target_ep_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_target_ep_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_security_groups.tf (terraform)
==================================
Tests:6 (SUCCESSES:4, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:0, CRITICAL:2)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource"aws_vpc_security_group_egress_rule""dms_all_tcp_outbound" {
15security_group_id=aws_security_group.dms_ri_security_group.id1617 [ cidr_ipv4 = "0.0.0.0/0"18ip_protocol = "tcp"19from_port = 020to_port = 6553521description = "DMS Terraform"22 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62viadms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59resource"aws_vpc_security_group_egress_rule""glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
6162 [ cidr_ipv4 ="0.0.0.0/0"63 ip_protocol ="tcp"64 from_port =065 to_port =6553566 description ="Required ports open for Glue-RDS-Connection"67 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================Tests:32 (SUCCESSES:10, FAILURES:0, EXCEPTIONS:22)
Failures:0 (HIGH:0, CRITICAL:0)
glue_data.tf (terraform)
========================Tests:4 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:4)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas/update_log_table/Dockerfile (dockerfile)
================================================Tests:20 (SUCCESSES:19, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH:Specifyatleast1USERcommandinDockerfilewithnon-rootuserasargument
════════════════════════════════════════
Runningcontainerswith 'root' usercanleadtoacontainerescapesituation.Itisabestpracticetoruncontainersasnon-rootusers, whichcanbedonebyaddinga 'USER' statementtotheDockerfile.Seehttps://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
lambdas_iam.tf (terraform)
==========================Tests:16 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:16)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas_security_groups.tf (terraform)
======================================Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12vialambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10resource"aws_vpc_security_group_egress_rule""lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 ="0.0.0.0/0"13 ip_protocol ="tcp"14 from_port =015 to_port =6553516 description ="Lambda outbound access"17 }
────────────────────────────────────────
modules/lambdas/main.tf (terraform)
===================================
Tests:55 (SUCCESSES:22, FAILURES:0, EXCEPTIONS:33)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================Tests:1 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/main.tf (terraform)
========================================Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests:32 (SUCCESSES:30, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28viadata_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28vias3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
server_backups.tf (terraform)
=============================
Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
step_functions_iam.tf (terraform)
=================================
Tests:11 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:11)
Failures:0 (HIGH:0, CRITICAL:0)
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T14:05:32Z INFO Need to update DB
2024-07-19T14:05:32Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T14:05:34Z INFO Vulnerability scanning is enabled
2024-07-19T14:05:34Z INFO Misconfiguration scanning is enabled
2024-07-19T14:05:34Z INFO Need to update the built-in policies
2024-07-19T14:05:34Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T14:05:35Z INFO Secret scanning is enabled
2024-07-19T14:05:35Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T14:05:35Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T14:05:35Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T14:05:39Z INFO Number of language-specific files num=1
2024-07-19T14:05:39Z INFO [pip] Detecting vulnerabilities...
2024-07-19T14:05:39Z INFO Detected config files num=24
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14issue(s) found:
Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)
on terraform/environments/electronic-monitoring-data/data_store.tf line 118:118:variable"checksum_algorithm" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:62:"${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:63:"${module.athena-s3-bucket.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:64:"${module.dms-premigrate-assess-store.bucket.arn}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:191:data"archive_file""query_output_to_list" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:13:resource"random_password""random_password" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:11:"Resource":"${module.get_metadata_from_rds_lambda.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:24:"Resource":"${module.create_athena_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:98:"WorkGroup":"${aws_athena_workgroup.default.name}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:114:"Resource":"${module.query_output_to_list.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:127:"Resource":"${module.get_file_keys_for_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:141:"Resource":"${module.send_table_to_ap.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:152:"Resource":"${module.update_log_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:164:"WorkGroup":"${aws_athena_workgroup.default.name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T14:05:32Z INFO Need to update DB
2024-07-19T14:05:32Z INFO Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-07-19T14:05:34Z INFO Vulnerability scanning is enabled
2024-07-19T14:05:34Z INFO Misconfiguration scanning is enabled
2024-07-19T14:05:34Z INFO Need to update the built-in policies
2024-07-19T14:05:34Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-07-19T14:05:35Z INFO Secret scanning is enabled
2024-07-19T14:05:35Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T14:05:35Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection2024-07-19T14:05:35Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped.err="site-packages directory not found"2024-07-19T14:05:39Z INFO Number of language-specific files num=12024-07-19T14:05:39Z INFO [pip] Detecting vulnerabilities...2024-07-19T14:05:39Z INFO Detected config files num=24
bastion_linux.tf (terraform)
============================
Tests:3 (SUCCESSES:1, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
data_store.tf (terraform)
=========================
Tests:11 (SUCCESSES:8, FAILURES:1, EXCEPTIONS:2)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""data_store" {
24 │ bucket=aws_s3_bucket.data_store.id25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm="AES256"29 │ }
30 │ }
31 └ }
────────────────────────────────────────
dms_data_validation_glue_job.tf (terraform)
===========================================
Tests:13 (SUCCESSES:8, FAILURES:5, EXCEPTIONS:0)
Failures:5 (HIGH:5, CRITICAL:0)
HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_dv_parquet_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_dv_parquet_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_s3_target_ep.tf (terraform)
===============================
Tests:7 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_target_ep_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_target_ep_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_security_groups.tf (terraform)
==================================
Tests:6 (SUCCESSES:4, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:0, CRITICAL:2)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource"aws_vpc_security_group_egress_rule""dms_all_tcp_outbound" {
15security_group_id=aws_security_group.dms_ri_security_group.id1617 [ cidr_ipv4 = "0.0.0.0/0"18ip_protocol = "tcp"19from_port = 020to_port = 6553521description = "DMS Terraform"22 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62viadms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59resource"aws_vpc_security_group_egress_rule""glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
6162 [ cidr_ipv4 ="0.0.0.0/0"63 ip_protocol ="tcp"64 from_port =065 to_port =6553566 description ="Required ports open for Glue-RDS-Connection"67 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================Tests:32 (SUCCESSES:10, FAILURES:0, EXCEPTIONS:22)
Failures:0 (HIGH:0, CRITICAL:0)
glue_data.tf (terraform)
========================Tests:4 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:4)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas/update_log_table/Dockerfile (dockerfile)
================================================Tests:20 (SUCCESSES:19, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH:Specifyatleast1USERcommandinDockerfilewithnon-rootuserasargument
════════════════════════════════════════
Runningcontainerswith 'root' usercanleadtoacontainerescapesituation.Itisabestpracticetoruncontainersasnon-rootusers, whichcanbedonebyaddinga 'USER' statementtotheDockerfile.Seehttps://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
lambdas_iam.tf (terraform)
==========================Tests:16 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:16)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas_security_groups.tf (terraform)
======================================Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12vialambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10resource"aws_vpc_security_group_egress_rule""lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 ="0.0.0.0/0"13 ip_protocol ="tcp"14 from_port =015 to_port =6553516 description ="Lambda outbound access"17 }
────────────────────────────────────────
modules/lambdas/main.tf (terraform)
===================================
Tests:55 (SUCCESSES:22, FAILURES:0, EXCEPTIONS:33)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================Tests:1 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/main.tf (terraform)
========================================Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests:32 (SUCCESSES:30, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28viadata_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28vias3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
server_backups.tf (terraform)
=============================
Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
step_functions_iam.tf (terraform)
=================================
Tests:11 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:11)
Failures:0 (HIGH:0, CRITICAL:0)
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:08:35Z INFO Need to update DB
2024-07-19T15:08:35Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T15:08:37Z INFO Vulnerability scanning is enabled
2024-07-19T15:08:37Z INFO Misconfiguration scanning is enabled
2024-07-19T15:08:37Z INFO Need to update the built-in policies
2024-07-19T15:08:37Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T15:08:38Z INFO Secret scanning is enabled
2024-07-19T15:08:38Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:08:38Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T15:08:38Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T15:08:41Z INFO Number of language-specific files num=1
2024-07-19T15:08:41Z INFO [pip] Detecting vulnerabilities...
2024-07-19T15:08:41Z INFO Detected config files num=24
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14issue(s) found:
Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)
on terraform/environments/electronic-monitoring-data/data_store.tf line 118:118:variable"checksum_algorithm" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md
Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/data_store.tf line 190:190:data"archive_file""summarise_zip_lambda" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:62:"${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:63:"${module.athena-s3-bucket.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:64:"${module.dms-premigrate-assess-store.bucket.arn}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:13:resource"random_password""random_password" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:11:"Resource":"${module.get_metadata_from_rds_lambda.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:24:"Resource":"${module.create_athena_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:98:"WorkGroup":"${aws_athena_workgroup.default.name}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:114:"Resource":"${module.query_output_to_list.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:127:"Resource":"${module.get_file_keys_for_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:141:"Resource":"${module.send_table_to_ap.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:152:"Resource":"${module.update_log_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:164:"WorkGroup":"${aws_athena_workgroup.default.name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:08:35Z INFO Need to update DB
2024-07-19T15:08:35Z INFO Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-07-19T15:08:37Z INFO Vulnerability scanning is enabled
2024-07-19T15:08:37Z INFO Misconfiguration scanning is enabled
2024-07-19T15:08:37Z INFO Need to update the built-in policies
2024-07-19T15:08:37Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-07-19T15:08:38Z INFO Secret scanning is enabled
2024-07-19T15:08:38Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:08:38Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection2024-07-19T15:08:38Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped.err="site-packages directory not found"2024-07-19T15:08:41Z INFO Number of language-specific files num=12024-07-19T15:08:41Z INFO [pip] Detecting vulnerabilities...2024-07-19T15:08:41Z INFO Detected config files num=24
bastion_linux.tf (terraform)
============================
Tests:3 (SUCCESSES:1, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
data_store.tf (terraform)
=========================
Tests:11 (SUCCESSES:8, FAILURES:1, EXCEPTIONS:2)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""data_store" {
24 │ bucket=aws_s3_bucket.data_store.id25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm="AES256"29 │ }
30 │ }
31 └ }
────────────────────────────────────────
dms_data_validation_glue_job.tf (terraform)
===========================================
Tests:13 (SUCCESSES:8, FAILURES:5, EXCEPTIONS:0)
Failures:5 (HIGH:5, CRITICAL:0)
HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_dv_parquet_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_dv_parquet_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_s3_target_ep.tf (terraform)
===============================
Tests:7 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_target_ep_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_target_ep_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_security_groups.tf (terraform)
==================================
Tests:6 (SUCCESSES:4, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:0, CRITICAL:2)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource"aws_vpc_security_group_egress_rule""dms_all_tcp_outbound" {
15security_group_id=aws_security_group.dms_ri_security_group.id1617 [ cidr_ipv4 = "0.0.0.0/0"18ip_protocol = "tcp"19from_port = 020to_port = 6553521description = "DMS Terraform"22 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62viadms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59resource"aws_vpc_security_group_egress_rule""glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
6162 [ cidr_ipv4 ="0.0.0.0/0"63 ip_protocol ="tcp"64 from_port =065 to_port =6553566 description ="Required ports open for Glue-RDS-Connection"67 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================Tests:32 (SUCCESSES:10, FAILURES:0, EXCEPTIONS:22)
Failures:0 (HIGH:0, CRITICAL:0)
glue_data.tf (terraform)
========================Tests:4 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:4)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas/update_log_table/Dockerfile (dockerfile)
================================================Tests:20 (SUCCESSES:19, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH:Specifyatleast1USERcommandinDockerfilewithnon-rootuserasargument
════════════════════════════════════════
Runningcontainerswith 'root' usercanleadtoacontainerescapesituation.Itisabestpracticetoruncontainersasnon-rootusers, whichcanbedonebyaddinga 'USER' statementtotheDockerfile.Seehttps://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
lambdas_iam.tf (terraform)
==========================Tests:16 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:16)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas_security_groups.tf (terraform)
======================================Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12vialambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10resource"aws_vpc_security_group_egress_rule""lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 ="0.0.0.0/0"13 ip_protocol ="tcp"14 from_port =015 to_port =6553516 description ="Lambda outbound access"17 }
────────────────────────────────────────
modules/lambdas/main.tf (terraform)
===================================
Tests:55 (SUCCESSES:22, FAILURES:0, EXCEPTIONS:33)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================Tests:1 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/main.tf (terraform)
========================================Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests:32 (SUCCESSES:30, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28viadata_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28vias3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
server_backups.tf (terraform)
=============================
Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
step_functions_iam.tf (terraform)
=================================
Tests:11 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:11)
Failures:0 (HIGH:0, CRITICAL:0)
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:46:37Z INFO Need to update DB
2024-07-19T15:46:37Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T15:46:39Z INFO Vulnerability scanning is enabled
2024-07-19T15:46:39Z INFO Misconfiguration scanning is enabled
2024-07-19T15:46:39Z INFO Need to update the built-in policies
2024-07-19T15:46:39Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T15:46:40Z INFO Secret scanning is enabled
2024-07-19T15:46:40Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:46:40Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T15:46:40Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T15:46:45Z INFO Number of language-specific files num=1
2024-07-19T15:46:45Z INFO [pip] Detecting vulnerabilities...
2024-07-19T15:46:45Z INFO Detected config files num=24
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14issue(s) found:
Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)
on terraform/environments/electronic-monitoring-data/data_store.tf line 118:118:variable"checksum_algorithm" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md
Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/data_store.tf line 190:190:data"archive_file""summarise_zip_lambda" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:62:"${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:63:"${module.athena-s3-bucket.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:64:"${module.dms-premigrate-assess-store.bucket.arn}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:13:resource"random_password""random_password" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:11:"Resource":"${module.get_metadata_from_rds_lambda.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:24:"Resource":"${module.create_athena_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:98:"WorkGroup":"${aws_athena_workgroup.default.name}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:114:"Resource":"${module.query_output_to_list.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:127:"Resource":"${module.get_file_keys_for_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:141:"Resource":"${module.send_table_to_ap.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:152:"Resource":"${module.update_log_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:164:"WorkGroup":"${aws_athena_workgroup.default.name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:46:37Z INFO Need to update DB
2024-07-19T15:46:37Z INFO Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-07-19T15:46:39Z INFO Vulnerability scanning is enabled
2024-07-19T15:46:39Z INFO Misconfiguration scanning is enabled
2024-07-19T15:46:39Z INFO Need to update the built-in policies
2024-07-19T15:46:39Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-07-19T15:46:40Z INFO Secret scanning is enabled
2024-07-19T15:46:40Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:46:40Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection2024-07-19T15:46:40Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped.err="site-packages directory not found"2024-07-19T15:46:45Z INFO Number of language-specific files num=12024-07-19T15:46:45Z INFO [pip] Detecting vulnerabilities...2024-07-19T15:46:45Z INFO Detected config files num=24
bastion_linux.tf (terraform)
============================
Tests:3 (SUCCESSES:1, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
data_store.tf (terraform)
=========================
Tests:11 (SUCCESSES:8, FAILURES:1, EXCEPTIONS:2)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""data_store" {
24 │ bucket=aws_s3_bucket.data_store.id25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm="AES256"29 │ }
30 │ }
31 └ }
────────────────────────────────────────
dms_data_validation_glue_job.tf (terraform)
===========================================
Tests:13 (SUCCESSES:8, FAILURES:5, EXCEPTIONS:0)
Failures:5 (HIGH:5, CRITICAL:0)
HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_dv_parquet_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_dv_parquet_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_s3_target_ep.tf (terraform)
===============================
Tests:7 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_target_ep_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_target_ep_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_security_groups.tf (terraform)
==================================
Tests:6 (SUCCESSES:4, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:0, CRITICAL:2)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource"aws_vpc_security_group_egress_rule""dms_all_tcp_outbound" {
15security_group_id=aws_security_group.dms_ri_security_group.id1617 [ cidr_ipv4 = "0.0.0.0/0"18ip_protocol = "tcp"19from_port = 020to_port = 6553521description = "DMS Terraform"22 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62viadms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59resource"aws_vpc_security_group_egress_rule""glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
6162 [ cidr_ipv4 ="0.0.0.0/0"63 ip_protocol ="tcp"64 from_port =065 to_port =6553566 description ="Required ports open for Glue-RDS-Connection"67 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================Tests:32 (SUCCESSES:10, FAILURES:0, EXCEPTIONS:22)
Failures:0 (HIGH:0, CRITICAL:0)
glue_data.tf (terraform)
========================Tests:4 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:4)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas/update_log_table/Dockerfile (dockerfile)
================================================Tests:20 (SUCCESSES:19, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH:Specifyatleast1USERcommandinDockerfilewithnon-rootuserasargument
════════════════════════════════════════
Runningcontainerswith 'root' usercanleadtoacontainerescapesituation.Itisabestpracticetoruncontainersasnon-rootusers, whichcanbedonebyaddinga 'USER' statementtotheDockerfile.Seehttps://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
lambdas_iam.tf (terraform)
==========================Tests:16 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:16)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas_security_groups.tf (terraform)
======================================Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12vialambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10resource"aws_vpc_security_group_egress_rule""lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 ="0.0.0.0/0"13 ip_protocol ="tcp"14 from_port =015 to_port =6553516 description ="Lambda outbound access"17 }
────────────────────────────────────────
modules/lambdas/main.tf (terraform)
===================================
Tests:55 (SUCCESSES:22, FAILURES:0, EXCEPTIONS:33)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================Tests:1 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/main.tf (terraform)
========================================Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests:32 (SUCCESSES:30, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28viadata_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28vias3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
server_backups.tf (terraform)
=============================
Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
step_functions_iam.tf (terraform)
=================================
Tests:11 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:11)
Failures:0 (HIGH:0, CRITICAL:0)
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:56:20Z INFO Need to update DB
2024-07-19T15:56:20Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-19T15:56:22Z INFO Vulnerability scanning is enabled
2024-07-19T15:56:22Z INFO Misconfiguration scanning is enabled
2024-07-19T15:56:22Z INFO Need to update the built-in policies
2024-07-19T15:56:22Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-19T15:56:22Z INFO Secret scanning is enabled
2024-07-19T15:56:22Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:56:22Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-19T15:56:25Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-19T15:56:25Z INFO Number of language-specific files num=1
2024-07-19T15:56:25Z INFO [pip] Detecting vulnerabilities...
2024-07-19T15:56:25Z INFO Detected config files num=24
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14issue(s) found:
Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)
on terraform/environments/electronic-monitoring-data/data_store.tf line 118:118:variable"checksum_algorithm" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:62:"${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:63:"${module.athena-s3-bucket.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:64:"${module.dms-premigrate-assess-store.bucket.arn}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 191:191:data"archive_file""query_output_to_list" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)
on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:13:resource"random_password""random_password" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:11:"Resource":"${module.get_metadata_from_rds_lambda.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:24:"Resource":"${module.create_athena_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:98:"WorkGroup":"${aws_athena_workgroup.default.name}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:114:"Resource":"${module.query_output_to_list.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:127:"Resource":"${module.get_file_keys_for_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:141:"Resource":"${module.send_table_to_ap.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:152:"Resource":"${module.update_log_table.lambda_function_arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:164:"WorkGroup":"${aws_athena_workgroup.default.name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/electronic-monitoring-data
*****************************
Running Trivy in terraform/environments/electronic-monitoring-data
2024-07-19T15:56:20Z INFO Need to update DB
2024-07-19T15:56:20Z INFO Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-07-19T15:56:22Z INFO Vulnerability scanning is enabled
2024-07-19T15:56:22Z INFO Misconfiguration scanning is enabled
2024-07-19T15:56:22Z INFO Need to update the built-in policies
2024-07-19T15:56:22Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-07-19T15:56:22Z INFO Secret scanning is enabled
2024-07-19T15:56:22Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-19T15:56:22Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection2024-07-19T15:56:25Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped.err="site-packages directory not found"2024-07-19T15:56:25Z INFO Number of language-specific files num=12024-07-19T15:56:25Z INFO [pip] Detecting vulnerabilities...2024-07-19T15:56:25Z INFO Detected config files num=24
bastion_linux.tf (terraform)
============================
Tests:3 (SUCCESSES:1, FAILURES:0, EXCEPTIONS:2)
Failures:0 (HIGH:0, CRITICAL:0)
data_store.tf (terraform)
=========================
Tests:11 (SUCCESSES:8, FAILURES:1, EXCEPTIONS:2)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""data_store" {
24 │ bucket=aws_s3_bucket.data_store.id25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm="AES256"29 │ }
30 │ }
31 └ }
────────────────────────────────────────
dms_data_validation_glue_job.tf (terraform)
===========================================
Tests:13 (SUCCESSES:8, FAILURES:5, EXCEPTIONS:0)
Failures:5 (HIGH:5, CRITICAL:0)
HIGH: No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not ignoring public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource"aws_s3_bucket""dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix="glue-jobs-py-scripts-"39 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_dv_parquet_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_dv_parquet_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_s3_target_ep.tf (terraform)
===============================
Tests:7 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""dms_target_ep_s3_bucket" {
21 │ bucket=aws_s3_bucket.dms_target_ep_s3_bucket.id22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
dms_security_groups.tf (terraform)
==================================
Tests:6 (SUCCESSES:4, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:0, CRITICAL:2)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource"aws_vpc_security_group_egress_rule""dms_all_tcp_outbound" {
15security_group_id=aws_security_group.dms_ri_security_group.id1617 [ cidr_ipv4 = "0.0.0.0/0"18ip_protocol = "tcp"19from_port = 020to_port = 6553521description = "DMS Terraform"22 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62viadms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59resource"aws_vpc_security_group_egress_rule""glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
6162 [ cidr_ipv4 ="0.0.0.0/0"63 ip_protocol ="tcp"64 from_port =065 to_port =6553566 description ="Required ports open for Glue-RDS-Connection"67 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================Tests:32 (SUCCESSES:10, FAILURES:0, EXCEPTIONS:22)
Failures:0 (HIGH:0, CRITICAL:0)
glue_data.tf (terraform)
========================Tests:4 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:4)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas/update_log_table/Dockerfile (dockerfile)
================================================Tests:20 (SUCCESSES:19, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH:Specifyatleast1USERcommandinDockerfilewithnon-rootuserasargument
════════════════════════════════════════
Runningcontainerswith 'root' usercanleadtoacontainerescapesituation.Itisabestpracticetoruncontainersasnon-rootusers, whichcanbedonebyaddinga 'USER' statementtotheDockerfile.Seehttps://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────
lambdas_iam.tf (terraform)
==========================Tests:16 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:16)
Failures:0 (HIGH:0, CRITICAL:0)
lambdas_security_groups.tf (terraform)
======================================Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12vialambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10resource"aws_vpc_security_group_egress_rule""lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 ="0.0.0.0/0"13 ip_protocol ="tcp"14 from_port =015 to_port =6553516 description ="Lambda outbound access"17 }
────────────────────────────────────────
modules/lambdas/main.tf (terraform)
===================================
Tests:55 (SUCCESSES:22, FAILURES:0, EXCEPTIONS:33)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/landing_zone_user/main.tf (terraform)
==========================================================Tests:1 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/landing_zone/main.tf (terraform)
========================================Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests:32 (SUCCESSES:30, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28viadata_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28vias3_main.tf:304-310 (module.dms-premigrate-assess-store-logs)
────────────────────────────────────────
20 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm ="AES256"26 │ }
27 │ }
28 └ }
────────────────────────────────────────
server_backups.tf (terraform)
=============================
Tests:7 (SUCCESSES:6, FAILURES:0, EXCEPTIONS:1)
Failures:0 (HIGH:0, CRITICAL:0)
step_functions_iam.tf (terraform)
=================================
Tests:11 (SUCCESSES:0, FAILURES:0, EXCEPTIONS:11)
Failures:0 (HIGH:0, CRITICAL:0)
trivy_exitcode=1
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.