Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CC-2605: ssl_policy ELBSecurityPolicy-2016-08 -> ELBSecurityPolicy-TLS13-1-2-2021-06 #7421

Merged
merged 2 commits into from
Aug 13, 2024

Conversation

mmgovuk
Copy link
Contributor

@mmgovuk mmgovuk commented Aug 9, 2024

CC-2605: ssl_policy ELBSecurityPolicy-2016-08 -> ELBSecurityPolicy-TLS13-1-2-2021-06

@mmgovuk mmgovuk requested a review from SahidKhan89 August 9, 2024 14:21
@mmgovuk mmgovuk self-assigned this Aug 9, 2024
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Aug 9, 2024
@mmgovuk mmgovuk temporarily deployed to ccms-ebs-development August 9, 2024 14:22 — with GitHub Actions Inactive
Copy link
Contributor

github-actions bot commented Aug 9, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs


Running Trivy in terraform/environments/ccms-ebs
2024-08-09T14:23:39Z INFO [db] Need to update DB
2024-08-09T14:23:39Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-09T14:23:42Z INFO [vuln] Vulnerability scanning is enabled
2024-08-09T14:23:42Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-09T14:23:42Z INFO Need to update the built-in policies
2024-08-09T14:23:42Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-09T14:23:42Z INFO [secret] Secret scanning is enabled
2024-08-09T14:23:42Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-09T14:23:42Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-09T14:23:45Z INFO Number of language-specific files num=0
2024-08-09T14:23:45Z INFO Detected config files num=33

ccms-ec2-clamav-sg.tf (terraform)

Tests: 5 (SUCCESSES: 2, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-clamav-sg.tf:65
via ccms-ec2-clamav-sg.tf:58-66 (aws_security_group_rule.egress_traffic_clamav_22)
────────────────────────────────────────
58 resource "aws_security_group_rule" "egress_traffic_clamav_22" {
59 security_group_id = aws_security_group.ec2_sg_clamav.id
60 type = "egress"
61 description = "SSH"
62 protocol = "TCP"
63 from_port = 22
64 to_port = 22
65 [ cidr_blocks = ["0.0.0.0/0"]
66 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-clamav-sg.tf:53
via ccms-ec2-clamav-sg.tf:46-54 (aws_security_group_rule.egress_traffic_clamav_3310)
────────────────────────────────────────
46 resource "aws_security_group_rule" "egress_traffic_clamav_3310" {
47 security_group_id = aws_security_group.ec2_sg_clamav.id
48 type = "egress"
49 description = "ClamAV"
50 protocol = "TCP"
51 from_port = 3310
52 to_port = 3310
53 [ cidr_blocks = ["0.0.0.0/0"]
54 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-clamav-sg.tf:77
via ccms-ec2-clamav-sg.tf:70-78 (aws_security_group_rule.egress_traffic_clamav_443)
────────────────────────────────────────
70 resource "aws_security_group_rule" "egress_traffic_clamav_443" {
71 security_group_id = aws_security_group.ec2_sg_clamav.id
72 type = "egress"
73 description = "HTTPS"
74 protocol = "TCP"
75 from_port = 443
76 to_port = 443
77 [ cidr_blocks = ["0.0.0.0/0"]
78 }
────────────────────────────────────────

ccms-ec2-ftp-sg.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-ftp-sg.tf:79
via ccms-ec2-ftp-sg.tf:72-80 (aws_security_group_rule.egress_traffic_ftp_22)
────────────────────────────────────────
72 resource "aws_security_group_rule" "egress_traffic_ftp_22" {
73 security_group_id = aws_security_group.ec2_sg_ftp.id
74 type = "egress"
75 description = "SSH"
76 protocol = "TCP"
77 from_port = 22
78 to_port = 22
79 [ cidr_blocks = ["0.0.0.0/0"]
80 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-ftp-sg.tf:91
via ccms-ec2-ftp-sg.tf:84-92 (aws_security_group_rule.egress_traffic_ftp_443)
────────────────────────────────────────
84 resource "aws_security_group_rule" "egress_traffic_ftp_443" {
85 security_group_id = aws_security_group.ec2_sg_ftp.id
86 type = "egress"
87 description = "HTTPS"
88 protocol = "TCP"
89 from_port = 443
90 to_port = 443
91 [ cidr_blocks = ["0.0.0.0/0"]
92 }
────────────────────────────────────────

ccms-ec2-mailrelay-sg.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-mailrelay-sg.tf:51
via ccms-ec2-mailrelay-sg.tf:44-52 (aws_security_group_rule.egress_traffic_mailrelay_443)
────────────────────────────────────────
44 resource "aws_security_group_rule" "egress_traffic_mailrelay_443" {
45 security_group_id = aws_security_group.ec2_sg_mailrelay.id
46 type = "egress"
47 description = "HTTPS"
48 protocol = "TCP"
49 from_port = 443
50 to_port = 443
51 [ cidr_blocks = ["0.0.0.0/0"]
52 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-mailrelay-sg.tf:63
via ccms-ec2-mailrelay-sg.tf:56-64 (aws_security_group_rule.egress_traffic_mailrelay_587)
────────────────────────────────────────
56 resource "aws_security_group_rule" "egress_traffic_mailrelay_587" {
57 security_group_id = aws_security_group.ec2_sg_mailrelay.id
58 type = "egress"
59 description = "SES"
60 protocol = "TCP"
61 from_port = 587
62 to_port = 587
63 [ cidr_blocks = ["0.0.0.0/0"]
64 }
────────────────────────────────────────

ccms-ec2-oracle_accessgate-sg.tf (terraform)

Tests: 26 (SUCCESSES: 12, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 0, CRITICAL: 14)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:325
via ccms-ec2-oracle_accessgate-sg.tf:318-326 (aws_security_group_rule.egress_traffic_accessgate_10401)
────────────────────────────────────────
318 resource "aws_security_group_rule" "egress_traffic_accessgate_10401" {
319 security_group_id = aws_security_group.ec2_sg_accessgate.id
320 type = "egress"
321 description = "Oracle"
322 protocol = "TCP"
323 from_port = 10401
324 to_port = 10401
325 [ cidr_blocks = ["0.0.0.0/0"]
326 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:253
via ccms-ec2-oracle_accessgate-sg.tf:246-254 (aws_security_group_rule.egress_traffic_accessgate_1389)
────────────────────────────────────────
246 resource "aws_security_group_rule" "egress_traffic_accessgate_1389" {
247 security_group_id = aws_security_group.ec2_sg_accessgate.id
248 type = "egress"
249 description = "ORACLE LDAP"
250 protocol = "TCP"
251 from_port = 1389
252 to_port = 1389
253 [ cidr_blocks = ["0.0.0.0/0"]
254 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:265
via ccms-ec2-oracle_accessgate-sg.tf:258-266 (aws_security_group_rule.egress_traffic_accessgate_152x)
────────────────────────────────────────
258 resource "aws_security_group_rule" "egress_traffic_accessgate_152x" {
259 security_group_id = aws_security_group.ec2_sg_accessgate.id
260 type = "egress"
261 description = "ORACLE Net Listener"
262 protocol = "TCP"
263 from_port = 1521
264 to_port = 1522
265 [ cidr_blocks = ["0.0.0.0/0"]
266 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:313
via ccms-ec2-oracle_accessgate-sg.tf:306-314 (aws_security_group_rule.egress_traffic_accessgate_1636)
────────────────────────────────────────
306 resource "aws_security_group_rule" "egress_traffic_accessgate_1636" {
307 security_group_id = aws_security_group.ec2_sg_accessgate.id
308 type = "egress"
309 description = "Oracle LDAP SSL"
310 protocol = "TCP"
311 from_port = 1636
312 to_port = 1636
313 [ cidr_blocks = ["0.0.0.0/0"]
314 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:241
via ccms-ec2-oracle_accessgate-sg.tf:234-242 (aws_security_group_rule.egress_traffic_accessgate_22)
────────────────────────────────────────
234 resource "aws_security_group_rule" "egress_traffic_accessgate_22" {
235 security_group_id = aws_security_group.ec2_sg_accessgate.id
236 type = "egress"
237 description = "SSH"
238 protocol = "TCP"
239 from_port = 22
240 to_port = 22
241 [ cidr_blocks = ["0.0.0.0/0"]
242 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:229
via ccms-ec2-oracle_accessgate-sg.tf:222-230 (aws_security_group_rule.egress_traffic_accessgate_2x)
────────────────────────────────────────
222 resource "aws_security_group_rule" "egress_traffic_accessgate_2x" {
223 security_group_id = aws_security_group.ec2_sg_accessgate.id
224 type = "egress"
225 description = "FTP"
226 protocol = "TCP"
227 from_port = 20
228 to_port = 21
229 [ cidr_blocks = ["0.0.0.0/0"]
230 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:217
via ccms-ec2-oracle_accessgate-sg.tf:210-218 (aws_security_group_rule.egress_traffic_accessgate_443)
────────────────────────────────────────
210 resource "aws_security_group_rule" "egress_traffic_accessgate_443" {
211 security_group_id = aws_security_group.ec2_sg_accessgate.id
212 type = "egress"
213 description = "HTTPS"
214 protocol = "TCP"
215 from_port = 443
216 to_port = 443
217 [ cidr_blocks = ["0.0.0.0/0"]
218 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:361
via ccms-ec2-oracle_accessgate-sg.tf:354-362 (aws_security_group_rule.egress_traffic_accessgate_4443)
────────────────────────────────────────
354 resource "aws_security_group_rule" "egress_traffic_accessgate_4443" {
355 security_group_id = aws_security_group.ec2_sg_accessgate.id
356 type = "egress"
357 description = "Oracle HTTPS"
358 protocol = "TCP"
359 from_port = 4443
360 to_port = 4444
361 [ cidr_blocks = ["0.0.0.0/0"]
362 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:337
via ccms-ec2-oracle_accessgate-sg.tf:330-338 (aws_security_group_rule.egress_traffic_accessgate_50000)
────────────────────────────────────────
330 resource "aws_security_group_rule" "egress_traffic_accessgate_50000" {
331 security_group_id = aws_security_group.ec2_sg_accessgate.id
332 type = "egress"
333 description = "Oracle"
334 protocol = "TCP"
335 from_port = 50000
336 to_port = 51000
337 [ cidr_blocks = ["0.0.0.0/0"]
338 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:277
via ccms-ec2-oracle_accessgate-sg.tf:270-278 (aws_security_group_rule.egress_traffic_accessgate_5101)
────────────────────────────────────────
270 resource "aws_security_group_rule" "egress_traffic_accessgate_5101" {
271 security_group_id = aws_security_group.ec2_sg_accessgate.id
272 type = "egress"
273 description = "Oracle"
274 protocol = "TCP"
275 from_port = 5101
276 to_port = 5101
277 [ cidr_blocks = ["0.0.0.0/0"]
278 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:289
via ccms-ec2-oracle_accessgate-sg.tf:282-290 (aws_security_group_rule.egress_traffic_accessgate_5401)
────────────────────────────────────────
282 resource "aws_security_group_rule" "egress_traffic_accessgate_5401" {
283 security_group_id = aws_security_group.ec2_sg_accessgate.id
284 type = "egress"
285 description = "Oracle"
286 protocol = "TCP"
287 from_port = 5401
288 to_port = 5401
289 [ cidr_blocks = ["0.0.0.0/0"]
290 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:301
via ccms-ec2-oracle_accessgate-sg.tf:294-302 (aws_security_group_rule.egress_traffic_accessgate_5575)
────────────────────────────────────────
294 resource "aws_security_group_rule" "egress_traffic_accessgate_5575" {
295 security_group_id = aws_security_group.ec2_sg_accessgate.id
296 type = "egress"
297 description = "Oracle"
298 protocol = "TCP"
299 from_port = 5575
300 to_port = 5575
301 [ cidr_blocks = ["0.0.0.0/0"]
302 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:205
via ccms-ec2-oracle_accessgate-sg.tf:198-206 (aws_security_group_rule.egress_traffic_accessgate_80)
────────────────────────────────────────
198 resource "aws_security_group_rule" "egress_traffic_accessgate_80" {
199 security_group_id = aws_security_group.ec2_sg_accessgate.id
200 type = "egress"
201 description = "Oracle HTTPs"
202 protocol = "TCP"
203 from_port = 80
204 to_port = 80
205 [ cidr_blocks = ["0.0.0.0/0"]
206 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_accessgate-sg.tf:349
via ccms-ec2-oracle_accessgate-sg.tf:342-350 (aws_security_group_rule.egress_traffic_accessgate_800x)
────────────────────────────────────────
342 resource "aws_security_group_rule" "egress_traffic_accessgate_800x" {
343 security_group_id = aws_security_group.ec2_sg_accessgate.id
344 type = "egress"
345 description = "Oracle HTTP"
346 protocol = "TCP"
347 from_port = 8000
348 to_port = 8005
349 [ cidr_blocks = ["0.0.0.0/0"]
350 }
────────────────────────────────────────

ccms-ec2-oracle_accessgate.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb-sg.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb-sg.tf:38
via ccms-ec2-oracle_ebs_apps-alb-sg.tf:31-39 (aws_security_group_rule.egress_traffic_ebslb_80)
────────────────────────────────────────
31 resource "aws_security_group_rule" "egress_traffic_ebslb_80" {
32 security_group_id = aws_security_group.ec2_sg_ebsapps.id
33 type = "egress"
34 description = "All"
35 protocol = "TCP"
36 from_port = 0
37 to_port = 0
38 [ cidr_blocks = ["0.0.0.0/0"]
39 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb-sg.tf:23
via ccms-ec2-oracle_ebs_apps-alb-sg.tf:16-24 (aws_security_group_rule.ingress_traffic_ebslb_443)
────────────────────────────────────────
16 resource "aws_security_group_rule" "ingress_traffic_ebslb_443" {
17 security_group_id = aws_security_group.sg_ebsapps_lb.id
18 type = "ingress"
19 description = "HTTPS"
20 protocol = "TCP"
21 from_port = 443
22 to_port = 443
23 [ cidr_blocks = ["0.0.0.0/0"]
24 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-public.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1 resource "aws_lb" "ebsapps_lb" {
.
3 [ internal = false
..
19 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18
via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16 resource "aws_lb" "ebsapps_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps-sg.tf (terraform)

Tests: 26 (SUCCESSES: 12, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 0, CRITICAL: 14)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:325
via ccms-ec2-oracle_ebs_apps-sg.tf:318-326 (aws_security_group_rule.egress_traffic_ebsapps_10401)
────────────────────────────────────────
318 resource "aws_security_group_rule" "egress_traffic_ebsapps_10401" {
319 security_group_id = aws_security_group.ec2_sg_ebsapps.id
320 type = "egress"
321 description = "Oracle"
322 protocol = "TCP"
323 from_port = 10401
324 to_port = 10401
325 [ cidr_blocks = ["0.0.0.0/0"]
326 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:253
via ccms-ec2-oracle_ebs_apps-sg.tf:246-254 (aws_security_group_rule.egress_traffic_ebsapps_1389)
────────────────────────────────────────
246 resource "aws_security_group_rule" "egress_traffic_ebsapps_1389" {
247 security_group_id = aws_security_group.ec2_sg_ebsapps.id
248 type = "egress"
249 description = "ORACLE LDAP"
250 protocol = "TCP"
251 from_port = 1389
252 to_port = 1389
253 [ cidr_blocks = ["0.0.0.0/0"]
254 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:265
via ccms-ec2-oracle_ebs_apps-sg.tf:258-266 (aws_security_group_rule.egress_traffic_ebsapps_152x)
────────────────────────────────────────
258 resource "aws_security_group_rule" "egress_traffic_ebsapps_152x" {
259 security_group_id = aws_security_group.ec2_sg_ebsapps.id
260 type = "egress"
261 description = "ORACLE Net Listener"
262 protocol = "TCP"
263 from_port = 1521
264 to_port = 1522
265 [ cidr_blocks = ["0.0.0.0/0"]
266 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:313
via ccms-ec2-oracle_ebs_apps-sg.tf:306-314 (aws_security_group_rule.egress_traffic_ebsapps_1636)
────────────────────────────────────────
306 resource "aws_security_group_rule" "egress_traffic_ebsapps_1636" {
307 security_group_id = aws_security_group.ec2_sg_ebsapps.id
308 type = "egress"
309 description = "Oracle LDAP SSL"
310 protocol = "TCP"
311 from_port = 1636
312 to_port = 1636
313 [ cidr_blocks = ["0.0.0.0/0"]
314 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:241
via ccms-ec2-oracle_ebs_apps-sg.tf:234-242 (aws_security_group_rule.egress_traffic_ebsapps_22)
────────────────────────────────────────
234 resource "aws_security_group_rule" "egress_traffic_ebsapps_22" {
235 security_group_id = aws_security_group.ec2_sg_ebsapps.id
236 type = "egress"
237 description = "SSH"
238 protocol = "TCP"
239 from_port = 22
240 to_port = 22
241 [ cidr_blocks = ["0.0.0.0/0"]
242 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:229
via ccms-ec2-oracle_ebs_apps-sg.tf:222-230 (aws_security_group_rule.egress_traffic_ebsapps_2x)
────────────────────────────────────────
222 resource "aws_security_group_rule" "egress_traffic_ebsapps_2x" {
223 security_group_id = aws_security_group.ec2_sg_ebsapps.id
224 type = "egress"
225 description = "FTP"
226 protocol = "TCP"
227 from_port = 20
228 to_port = 21
229 [ cidr_blocks = ["0.0.0.0/0"]
230 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:217
via ccms-ec2-oracle_ebs_apps-sg.tf:210-218 (aws_security_group_rule.egress_traffic_ebsapps_443)
────────────────────────────────────────
210 resource "aws_security_group_rule" "egress_traffic_ebsapps_443" {
211 security_group_id = aws_security_group.ec2_sg_ebsapps.id
212 type = "egress"
213 description = "HTTPS"
214 protocol = "TCP"
215 from_port = 443
216 to_port = 443
217 [ cidr_blocks = ["0.0.0.0/0"]
218 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:361
via ccms-ec2-oracle_ebs_apps-sg.tf:354-362 (aws_security_group_rule.egress_traffic_ebsapps_4443)
────────────────────────────────────────
354 resource "aws_security_group_rule" "egress_traffic_ebsapps_4443" {
355 security_group_id = aws_security_group.ec2_sg_ebsapps.id
356 type = "egress"
357 description = "Oracle HTTPS"
358 protocol = "TCP"
359 from_port = 4443
360 to_port = 4444
361 [ cidr_blocks = ["0.0.0.0/0"]
362 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:337
via ccms-ec2-oracle_ebs_apps-sg.tf:330-338 (aws_security_group_rule.egress_traffic_ebsapps_50000)
────────────────────────────────────────
330 resource "aws_security_group_rule" "egress_traffic_ebsapps_50000" {
331 security_group_id = aws_security_group.ec2_sg_ebsapps.id
332 type = "egress"
333 description = "Oracle"
334 protocol = "TCP"
335 from_port = 50000
336 to_port = 51000
337 [ cidr_blocks = ["0.0.0.0/0"]
338 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:277
via ccms-ec2-oracle_ebs_apps-sg.tf:270-278 (aws_security_group_rule.egress_traffic_ebsapps_5101)
────────────────────────────────────────
270 resource "aws_security_group_rule" "egress_traffic_ebsapps_5101" {
271 security_group_id = aws_security_group.ec2_sg_ebsapps.id
272 type = "egress"
273 description = "Oracle"
274 protocol = "TCP"
275 from_port = 5101
276 to_port = 5101
277 [ cidr_blocks = ["0.0.0.0/0"]
278 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:289
via ccms-ec2-oracle_ebs_apps-sg.tf:282-290 (aws_security_group_rule.egress_traffic_ebsapps_5401)
────────────────────────────────────────
282 resource "aws_security_group_rule" "egress_traffic_ebsapps_5401" {
283 security_group_id = aws_security_group.ec2_sg_ebsapps.id
284 type = "egress"
285 description = "Oracle"
286 protocol = "TCP"
287 from_port = 5401
288 to_port = 5401
289 [ cidr_blocks = ["0.0.0.0/0"]
290 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:301
via ccms-ec2-oracle_ebs_apps-sg.tf:294-302 (aws_security_group_rule.egress_traffic_ebsapps_5575)
────────────────────────────────────────
294 resource "aws_security_group_rule" "egress_traffic_ebsapps_5575" {
295 security_group_id = aws_security_group.ec2_sg_ebsapps.id
296 type = "egress"
297 description = "Oracle"
298 protocol = "TCP"
299 from_port = 5575
300 to_port = 5575
301 [ cidr_blocks = ["0.0.0.0/0"]
302 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:205
via ccms-ec2-oracle_ebs_apps-sg.tf:198-206 (aws_security_group_rule.egress_traffic_ebsapps_80)
────────────────────────────────────────
198 resource "aws_security_group_rule" "egress_traffic_ebsapps_80" {
199 security_group_id = aws_security_group.ec2_sg_ebsapps.id
200 type = "egress"
201 description = "Oracle HTTPs"
202 protocol = "TCP"
203 from_port = 80
204 to_port = 80
205 [ cidr_blocks = ["0.0.0.0/0"]
206 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-sg.tf:349
via ccms-ec2-oracle_ebs_apps-sg.tf:342-350 (aws_security_group_rule.egress_traffic_ebsapps_800x)
────────────────────────────────────────
342 resource "aws_security_group_rule" "egress_traffic_ebsapps_800x" {
343 security_group_id = aws_security_group.ec2_sg_ebsapps.id
344 type = "egress"
345 description = "Oracle HTTP"
346 protocol = "TCP"
347 from_port = 8000
348 to_port = 8005
349 [ cidr_blocks = ["0.0.0.0/0"]
350 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_apps.tf (terraform)

Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-ec2-oracle_ebs_db-sg.tf (terraform)

Tests: 27 (SUCCESSES: 12, FAILURES: 15, EXCEPTIONS: 0)
Failures: 15 (HIGH: 0, CRITICAL: 15)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:327
via ccms-ec2-oracle_ebs_db-sg.tf:320-328 (aws_security_group_rule.egress_traffic_ebsdb_10401)
────────────────────────────────────────
320 resource "aws_security_group_rule" "egress_traffic_ebsdb_10401" {
321 security_group_id = aws_security_group.ec2_sg_ebsdb.id
322 type = "egress"
323 description = "Oracle"
324 protocol = "TCP"
325 from_port = 10401
326 to_port = 10401
327 [ cidr_blocks = ["0.0.0.0/0"]
328 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:255
via ccms-ec2-oracle_ebs_db-sg.tf:248-256 (aws_security_group_rule.egress_traffic_ebsdb_1389)
────────────────────────────────────────
248 resource "aws_security_group_rule" "egress_traffic_ebsdb_1389" {
249 security_group_id = aws_security_group.ec2_sg_ebsdb.id
250 type = "egress"
251 description = "ORACLE LDAP"
252 protocol = "TCP"
253 from_port = 1389
254 to_port = 1389
255 [ cidr_blocks = ["0.0.0.0/0"]
256 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:267
via ccms-ec2-oracle_ebs_db-sg.tf:260-268 (aws_security_group_rule.egress_traffic_ebsdb_152x)
────────────────────────────────────────
260 resource "aws_security_group_rule" "egress_traffic_ebsdb_152x" {
261 security_group_id = aws_security_group.ec2_sg_ebsdb.id
262 type = "egress"
263 description = "ORACLE Net Listener"
264 protocol = "TCP"
265 from_port = 1521
266 to_port = 1522
267 [ cidr_blocks = ["0.0.0.0/0"]
268 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:315
via ccms-ec2-oracle_ebs_db-sg.tf:308-316 (aws_security_group_rule.egress_traffic_ebsdb_1636)
────────────────────────────────────────
308 resource "aws_security_group_rule" "egress_traffic_ebsdb_1636" {
309 security_group_id = aws_security_group.ec2_sg_ebsdb.id
310 type = "egress"
311 description = "Oracle LDAP SSL"
312 protocol = "TCP"
313 from_port = 1636
314 to_port = 1636
315 [ cidr_blocks = ["0.0.0.0/0"]
316 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:243
via ccms-ec2-oracle_ebs_db-sg.tf:236-244 (aws_security_group_rule.egress_traffic_ebsdb_22)
────────────────────────────────────────
236 resource "aws_security_group_rule" "egress_traffic_ebsdb_22" {
237 security_group_id = aws_security_group.ec2_sg_ebsdb.id
238 type = "egress"
239 description = "SSH"
240 protocol = "TCP"
241 from_port = 22
242 to_port = 22
243 [ cidr_blocks = ["0.0.0.0/0"]
244 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:376
via ccms-ec2-oracle_ebs_db-sg.tf:368-377 (aws_security_group_rule.egress_traffic_ebsdb_2525[0])
────────────────────────────────────────
368 resource "aws_security_group_rule" "egress_traffic_ebsdb_2525" {
369 count = local.is-production ? 0 : 1
370 security_group_id = aws_security_group.ec2_sg_ebsdb.id
371 type = "egress"
372 description = "SMTP"
373 protocol = "TCP"
374 from_port = 2525
375 to_port = 2525
376 [ cidr_blocks = ["0.0.0.0/0"]
377 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:231
via ccms-ec2-oracle_ebs_db-sg.tf:224-232 (aws_security_group_rule.egress_traffic_ebsdb_2x)
────────────────────────────────────────
224 resource "aws_security_group_rule" "egress_traffic_ebsdb_2x" {
225 security_group_id = aws_security_group.ec2_sg_ebsdb.id
226 type = "egress"
227 description = "FTP"
228 protocol = "TCP"
229 from_port = 20
230 to_port = 21
231 [ cidr_blocks = ["0.0.0.0/0"]
232 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:219
via ccms-ec2-oracle_ebs_db-sg.tf:212-220 (aws_security_group_rule.egress_traffic_ebsdb_443)
────────────────────────────────────────
212 resource "aws_security_group_rule" "egress_traffic_ebsdb_443" {
213 security_group_id = aws_security_group.ec2_sg_ebsdb.id
214 type = "egress"
215 description = "HTTPS"
216 protocol = "TCP"
217 from_port = 443
218 to_port = 443
219 [ cidr_blocks = ["0.0.0.0/0"]
220 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:363
via ccms-ec2-oracle_ebs_db-sg.tf:356-364 (aws_security_group_rule.egress_traffic_ebsdb_4443)
────────────────────────────────────────
356 resource "aws_security_group_rule" "egress_traffic_ebsdb_4443" {
357 security_group_id = aws_security_group.ec2_sg_ebsdb.id
358 type = "egress"
359 description = "Oracle HTTPS"
360 protocol = "TCP"
361 from_port = 4443
362 to_port = 4444
363 [ cidr_blocks = ["0.0.0.0/0"]
364 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:339
via ccms-ec2-oracle_ebs_db-sg.tf:332-340 (aws_security_group_rule.egress_traffic_ebsdb_50000)
────────────────────────────────────────
332 resource "aws_security_group_rule" "egress_traffic_ebsdb_50000" {
333 security_group_id = aws_security_group.ec2_sg_ebsdb.id
334 type = "egress"
335 description = "Oracle"
336 protocol = "TCP"
337 from_port = 50000
338 to_port = 51000
339 [ cidr_blocks = ["0.0.0.0/0"]
340 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:279
via ccms-ec2-oracle_ebs_db-sg.tf:272-280 (aws_security_group_rule.egress_traffic_ebsdb_5101)
────────────────────────────────────────
272 resource "aws_security_group_rule" "egress_traffic_ebsdb_5101" {
273 security_group_id = aws_security_group.ec2_sg_ebsdb.id
274 type = "egress"
275 description = "Oracle"
276 protocol = "TCP"
277 from_port = 5101
278 to_port = 5101
279 [ cidr_blocks = ["0.0.0.0/0"]
280 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:291
via ccms-ec2-oracle_ebs_db-sg.tf:284-292 (aws_security_group_rule.egress_traffic_ebsdb_5401)
────────────────────────────────────────
284 resource "aws_security_group_rule" "egress_traffic_ebsdb_5401" {
285 security_group_id = aws_security_group.ec2_sg_ebsdb.id
286 type = "egress"
287 description = "Oracle"
288 protocol = "TCP"
289 from_port = 5401
290 to_port = 5401
291 [ cidr_blocks = ["0.0.0.0/0"]
292 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:303
via ccms-ec2-oracle_ebs_db-sg.tf:296-304 (aws_security_group_rule.egress_traffic_ebsdb_5575)
────────────────────────────────────────
296 resource "aws_security_group_rule" "egress_traffic_ebsdb_5575" {
297 security_group_id = aws_security_group.ec2_sg_ebsdb.id
298 type = "egress"
299 description = "Oracle"
300 protocol = "TCP"
301 from_port = 5575
302 to_port = 5575
303 [ cidr_blocks = ["0.0.0.0/0"]
304 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:207
via ccms-ec2-oracle_ebs_db-sg.tf:200-208 (aws_security_group_rule.egress_traffic_ebsdb_80)
────────────────────────────────────────
200 resource "aws_security_group_rule" "egress_traffic_ebsdb_80" {
201 security_group_id = aws_security_group.ec2_sg_ebsdb.id
202 type = "egress"
203 description = "Oracle HTTPs"
204 protocol = "TCP"
205 from_port = 80
206 to_port = 80
207 [ cidr_blocks = ["0.0.0.0/0"]
208 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_ebs_db-sg.tf:351
via ccms-ec2-oracle_ebs_db-sg.tf:344-352 (aws_security_group_rule.egress_traffic_ebsdb_800x)
────────────────────────────────────────
344 resource "aws_security_group_rule" "egress_traffic_ebsdb_800x" {
345 security_group_id = aws_security_group.ec2_sg_ebsdb.id
346 type = "egress"
347 description = "Oracle HTTP"
348 protocol = "TCP"
349 from_port = 8000
350 to_port = 8005
351 [ cidr_blocks = ["0.0.0.0/0"]
352 }
────────────────────────────────────────

ccms-ec2-oracle_ebs_db.tf (terraform)

Tests: 16 (SUCCESSES: 15, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb-sg.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb-sg.tf:39
via ccms-ec2-oracle_webgate-alb-sg.tf:32-40 (aws_security_group_rule.egress_traffic_webgatelb_80)
────────────────────────────────────────
32 resource "aws_security_group_rule" "egress_traffic_webgatelb_80" {
33 security_group_id = aws_security_group.sg_webgate_lb.id
34 type = "egress"
35 description = "All"
36 protocol = "TCP"
37 from_port = 0
38 to_port = 0
39 [ cidr_blocks = ["0.0.0.0/0"]
40 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb-sg.tf:24
via ccms-ec2-oracle_webgate-alb-sg.tf:17-25 (aws_security_group_rule.ingress_traffic_webgatelb_443)
────────────────────────────────────────
17 resource "aws_security_group_rule" "ingress_traffic_webgatelb_443" {
18 security_group_id = aws_security_group.sg_webgate_lb.id
19 type = "ingress"
20 description = "HTTPS"
21 protocol = "TCP"
22 from_port = 443
23 to_port = 443
24 [ cidr_blocks = ["0.0.0.0/0"]
25 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-alb.tf (terraform)

Tests: 8 (SUCCESSES: 5, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ count = local.is-production ? 1 : 1
3 │ name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal = true
5 │ load_balancer_type = "application"
6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection = true
..
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb" "webgate_public_lb" {
63 │ name = lower(format("public-alb-webgate"))
64 │ internal = false
65 │ load_balancer_type = "application"
66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection = true
70 └
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb" "webgate_public_lb" {
..
64 [ internal = false
..
80 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-nlb.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb" "webgate_nlb" {
..
18 [ internal = false
..
42 }
────────────────────────────────────────

ccms-ec2-oracle_webgate-sg.tf (terraform)

Tests: 26 (SUCCESSES: 12, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 0, CRITICAL: 14)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:326
via ccms-ec2-oracle_webgate-sg.tf:319-327 (aws_security_group_rule.egress_traffic_webgate_10401)
────────────────────────────────────────
319 resource "aws_security_group_rule" "egress_traffic_webgate_10401" {
320 security_group_id = aws_security_group.ec2_sg_webgate.id
321 type = "egress"
322 description = "Oracle"
323 protocol = "TCP"
324 from_port = 10401
325 to_port = 10401
326 [ cidr_blocks = ["0.0.0.0/0"]
327 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:254
via ccms-ec2-oracle_webgate-sg.tf:247-255 (aws_security_group_rule.egress_traffic_webgate_1389)
────────────────────────────────────────
247 resource "aws_security_group_rule" "egress_traffic_webgate_1389" {
248 security_group_id = aws_security_group.ec2_sg_webgate.id
249 type = "egress"
250 description = "ORACLE LDAP"
251 protocol = "TCP"
252 from_port = 1389
253 to_port = 1389
254 [ cidr_blocks = ["0.0.0.0/0"]
255 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:266
via ccms-ec2-oracle_webgate-sg.tf:259-267 (aws_security_group_rule.egress_traffic_webgate_152x)
────────────────────────────────────────
259 resource "aws_security_group_rule" "egress_traffic_webgate_152x" {
260 security_group_id = aws_security_group.ec2_sg_webgate.id
261 type = "egress"
262 description = "ORACLE Net Listener"
263 protocol = "TCP"
264 from_port = 1521
265 to_port = 1522
266 [ cidr_blocks = ["0.0.0.0/0"]
267 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:314
via ccms-ec2-oracle_webgate-sg.tf:307-315 (aws_security_group_rule.egress_traffic_webgate_1636)
────────────────────────────────────────
307 resource "aws_security_group_rule" "egress_traffic_webgate_1636" {
308 security_group_id = aws_security_group.ec2_sg_webgate.id
309 type = "egress"
310 description = "Oracle LDAP SSL"
311 protocol = "TCP"
312 from_port = 1636
313 to_port = 1636
314 [ cidr_blocks = ["0.0.0.0/0"]
315 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:242
via ccms-ec2-oracle_webgate-sg.tf:235-243 (aws_security_group_rule.egress_traffic_webgate_22)
────────────────────────────────────────
235 resource "aws_security_group_rule" "egress_traffic_webgate_22" {
236 security_group_id = aws_security_group.ec2_sg_webgate.id
237 type = "egress"
238 description = "SSH"
239 protocol = "TCP"
240 from_port = 22
241 to_port = 22
242 [ cidr_blocks = ["0.0.0.0/0"]
243 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:230
via ccms-ec2-oracle_webgate-sg.tf:223-231 (aws_security_group_rule.egress_traffic_webgate_2x)
────────────────────────────────────────
223 resource "aws_security_group_rule" "egress_traffic_webgate_2x" {
224 security_group_id = aws_security_group.ec2_sg_webgate.id
225 type = "egress"
226 description = "FTP"
227 protocol = "TCP"
228 from_port = 20
229 to_port = 21
230 [ cidr_blocks = ["0.0.0.0/0"]
231 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:218
via ccms-ec2-oracle_webgate-sg.tf:211-219 (aws_security_group_rule.egress_traffic_webgate_443)
────────────────────────────────────────
211 resource "aws_security_group_rule" "egress_traffic_webgate_443" {
212 security_group_id = aws_security_group.ec2_sg_webgate.id
213 type = "egress"
214 description = "HTTPS"
215 protocol = "TCP"
216 from_port = 443
217 to_port = 443
218 [ cidr_blocks = ["0.0.0.0/0"]
219 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:362
via ccms-ec2-oracle_webgate-sg.tf:355-363 (aws_security_group_rule.egress_traffic_webgate_4443)
────────────────────────────────────────
355 resource "aws_security_group_rule" "egress_traffic_webgate_4443" {
356 security_group_id = aws_security_group.ec2_sg_webgate.id
357 type = "egress"
358 description = "Oracle HTTPS"
359 protocol = "TCP"
360 from_port = 4443
361 to_port = 4444
362 [ cidr_blocks = ["0.0.0.0/0"]
363 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:338
via ccms-ec2-oracle_webgate-sg.tf:331-339 (aws_security_group_rule.egress_traffic_webgate_50000)
────────────────────────────────────────
331 resource "aws_security_group_rule" "egress_traffic_webgate_50000" {
332 security_group_id = aws_security_group.ec2_sg_webgate.id
333 type = "egress"
334 description = "Oracle"
335 protocol = "TCP"
336 from_port = 50000
337 to_port = 51000
338 [ cidr_blocks = ["0.0.0.0/0"]
339 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:278
via ccms-ec2-oracle_webgate-sg.tf:271-279 (aws_security_group_rule.egress_traffic_webgate_5101)
────────────────────────────────────────
271 resource "aws_security_group_rule" "egress_traffic_webgate_5101" {
272 security_group_id = aws_security_group.ec2_sg_webgate.id
273 type = "egress"
274 description = "Oracle"
275 protocol = "TCP"
276 from_port = 5101
277 to_port = 5101
278 [ cidr_blocks = ["0.0.0.0/0"]
279 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:290
via ccms-ec2-oracle_webgate-sg.tf:283-291 (aws_security_group_rule.egress_traffic_webgate_5401)
────────────────────────────────────────
283 resource "aws_security_group_rule" "egress_traffic_webgate_5401" {
284 security_group_id = aws_security_group.ec2_sg_webgate.id
285 type = "egress"
286 description = "Oracle"
287 protocol = "TCP"
288 from_port = 5401
289 to_port = 5401
290 [ cidr_blocks = ["0.0.0.0/0"]
291 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:302
via ccms-ec2-oracle_webgate-sg.tf:295-303 (aws_security_group_rule.egress_traffic_webgate_5575)
────────────────────────────────────────
295 resource "aws_security_group_rule" "egress_traffic_webgate_5575" {
296 security_group_id = aws_security_group.ec2_sg_webgate.id
297 type = "egress"
298 description = "Oracle"
299 protocol = "TCP"
300 from_port = 5575
301 to_port = 5575
302 [ cidr_blocks = ["0.0.0.0/0"]
303 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:206
via ccms-ec2-oracle_webgate-sg.tf:199-207 (aws_security_group_rule.egress_traffic_webgate_80)
────────────────────────────────────────
199 resource "aws_security_group_rule" "egress_traffic_webgate_80" {
200 security_group_id = aws_security_group.ec2_sg_webgate.id
201 type = "egress"
202 description = "Oracle HTTPs"
203 protocol = "TCP"
204 from_port = 80
205 to_port = 80
206 [ cidr_blocks = ["0.0.0.0/0"]
207 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ccms-ec2-oracle_webgate-sg.tf:350
via ccms-ec2-oracle_webgate-sg.tf:343-351 (aws_security_group_rule.egress_traffic_webgate_800x)
────────────────────────────────────────
343 resource "aws_security_group_rule" "egress_traffic_webgate_800x" {
344 security_group_id = aws_security_group.ec2_sg_webgate.id
345 type = "egress"
346 description = "Oracle HTTP"
347 protocol = "TCP"
348 from_port = 8000
349 to_port = 8005
350 [ cidr_blocks = ["0.0.0.0/0"]
351 }
────────────────────────────────────────

ccms-ec2-oracle_webgate.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ccms-sns.tf (terraform)

Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ccms-sns.tf:17-20
────────────────────────────────────────
17 ┌ resource "aws_sns_topic" "cw_alerts" {
18 │ name = "ccms-ebs-ec2-alerts"
19 │ #kms_master_key_id = "alias/aws/sns"
20 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ccms-sns.tf:51-54
────────────────────────────────────────
51 ┌ resource "aws_sns_topic" "ddos_alarm" {
52 │ name = format("%s_ddos_alarm", local.application_name)
53 │ #kms_master_key_id = "alias/aws/sns"
54 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ccms-sns.tf:34-37
────────────────────────────────────────
34 ┌ resource "aws_sns_topic" "s3_topic" {
35 │ name = "s3-event-notification-topic"
36 │ policy = data.aws_iam_policy_document.s3_topic_policy.json
37 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-09 14:23:48,420 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 806, Failed checks: 44, Skipped checks: 3

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ccms-cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /ccms-cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /ccms-dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-67
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_mailrelay
	File: /ccms-ec2-mailrelay.tf:2-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ccms-ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
		3  |   internal           = false
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-public.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		39 | resource "aws_lb_target_group" "ebsapp_tg" {
		40 |   name     = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
		41 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		42 |   protocol = "HTTP"
		43 |   vpc_id   = data.aws_vpc.shared.id
		44 |   health_check {
		45 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		46 |     protocol = "HTTP"
		47 |   }
		48 | 
		49 |   stickiness {
		50 |     enabled         = true
		51 |     type            = "lb_cookie"
		52 |     cookie_duration = 3600
		53 |   }
		54 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ebsapps_nlb
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "ebsapps_nlb" {
		17 |   name               = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.ebs_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.ebs_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.ebs_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
		41 |   )
		42 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ccms-ec2-oracle_ebs_apps.tf:1-127
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ccms-ec2-oracle_ebs_db.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   count              = local.is-production ? 1 : 1
		3  |   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
		4  |   internal           = true
		5  |   load_balancer_type = "application"
		6  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		7  |   subnets            = data.aws_subnets.shared-private.ids
		8  | 
		9  |   enable_deletion_protection = true
		10 | 
		11 |   access_logs {
		12 |     bucket  = module.s3-bucket-logging.bucket.id
		13 |     prefix  = local.lb_log_prefix_wgate
		14 |     enabled = true
		15 |   }
		16 | 
		17 |   tags = merge(local.tags,
		18 |     { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
		19 |   )
		20 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ccms-ec2-oracle_webgate-alb.tf:40-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		40 | resource "aws_lb_target_group" "webgate_tg" {
		41 |   count    = local.is-production ? 1 : 1
		42 |   name     = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
		43 |   port     = 5401
		44 |   protocol = "HTTP"
		45 |   vpc_id   = data.aws_vpc.shared.id
		46 |   health_check {
		47 |     port     = 5401
		48 |     protocol = "HTTP"
		49 |     matcher  = 302
		50 |     timeout  = 10
		51 |   }
		52 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_public_lb
	File: /ccms-ec2-oracle_webgate-alb.tf:62-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		62 | resource "aws_lb" "webgate_public_lb" {
		63 |   name               = lower(format("public-alb-webgate"))
		64 |   internal           = false
		65 |   load_balancer_type = "application"
		66 |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		67 |   subnets            = data.aws_subnets.shared-public.ids
		68 | 
		69 |   enable_deletion_protection = true
		70 | 
		71 |   access_logs {
		72 |     bucket  = module.s3-bucket-logging.bucket.id
		73 |     prefix  = local.lb_log_prefix_wgate_public
		74 |     enabled = true
		75 |   }
		76 | 
		77 |   tags = merge(local.tags,
		78 |     { Name = lower(format("public-alb-webgate")) }
		79 |   )
		80 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg_public
	File: /ccms-ec2-oracle_webgate-alb.tf:100-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		100 | resource "aws_lb_target_group" "webgate_tg_public" {
		101 |   name     = lower(format("public-alb-webgate-tg"))
		102 |   port     = 5401
		103 |   protocol = "HTTP"
		104 |   vpc_id   = data.aws_vpc.shared.id
		105 |   health_check {
		106 |     port     = 5401
		107 |     protocol = "HTTP"
		108 |     matcher  = 302
		109 |     timeout  = 10
		110 |   }
		111 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.webgate_nlb
	File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		16 | resource "aws_lb" "webgate_nlb" {
		17 |   name               = lower(format("public-nlb-webgate"))
		18 |   internal           = false
		19 |   load_balancer_type = "network"
		20 | 
		21 |   enable_deletion_protection       = true
		22 |   enable_cross_zone_load_balancing = true
		23 | 
		24 |   subnet_mapping {
		25 |     subnet_id     = data.aws_subnets.shared-public.ids[0]
		26 |     allocation_id = aws_eip.webgate_eip[0].id
		27 |   }
		28 | 
		29 |   subnet_mapping {
		30 |     subnet_id     = data.aws_subnets.shared-public.ids[1]
		31 |     allocation_id = aws_eip.webgate_eip[1].id
		32 |   }
		33 | 
		34 |   subnet_mapping {
		35 |     subnet_id     = data.aws_subnets.shared-public.ids[2]
		36 |     allocation_id = aws_eip.webgate_eip[2].id
		37 |   }
		38 | 
		39 |   tags = merge(local.tags,
		40 |     { Name = lower(format("public-nlb-webgate")) }
		41 |   )
		42 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ccms-ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /ccms-iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /ccms-s3.tf:2-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /ccms-s3.tf:98-166
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /ccms-s3.tf:190-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ccms-ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /ccms-sns.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "cw_alerts" {
		18 |   name = "ccms-ebs-ec2-alerts"
		19 |   #kms_master_key_id = "alias/aws/sns"
		20 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /ccms-sns.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		34 | resource "aws_sns_topic" "s3_topic" {
		35 |   name   = "s3-event-notification-topic"
		36 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		37 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ccms-sns.tf:51-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		51 | resource "aws_sns_topic" "ddos_alarm" {
		52 |   name = format("%s_ddos_alarm", local.application_name)
		53 |   #kms_master_key_id = "alias/aws/sns"
		54 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
	File: /ccms-waf.tf:168-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		168 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
		169 |   name        = "ebs_waf"
		170 |   scope       = "REGIONAL"
		171 |   description = "AWS WAF Web ACL for EBS"
		172 | 
		173 |   default_action {
		174 |     block {}
		175 |   }
		176 | 
		177 |   rule {
		178 |     name = "ebs-trusted-rule"
		179 | 
		180 |     priority = 1
		181 |     action {
		182 |       allow {}
		183 |     }
		184 | 
		185 |     statement {
		186 |       ip_set_reference_statement {
		187 |         arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
		188 |       }
		189 |     }
		190 | 
		191 |     visibility_config {
		192 |       cloudwatch_metrics_enabled = true
		193 |       metric_name                = "ebs_waf_metrics"
		194 |       sampled_requests_enabled   = true
		195 |     }
		196 |   }
		197 | 
		198 |   tags = merge(local.tags,
		199 |     { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
		200 |   )
		201 | 
		202 |   visibility_config {
		203 |     cloudwatch_metrics_enabled = true
		204 |     metric_name                = "ebs_waf_metrics"
		205 |     sampled_requests_enabled   = true
		206 |   }
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:209-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		209 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		210 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		211 |   retention_in_days = 30
		212 | 
		213 |   tags = merge(local.tags,
		214 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		215 |   )
		216 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
	File: /ccms-waf.tf:209-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		209 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
		210 |   name              = "aws-waf-logs-ebs/ebs-waf-logs"
		211 |   retention_in_days = 30
		212 | 
		213 |   tags = merge(local.tags,
		214 |     { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
		215 |   )
		216 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /ccms-cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /ccms-kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.ebs_eip
	File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "ebs_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
	FAILED for resource: aws_eip.webgate_eip
	File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances

		2  | resource "aws_eip" "webgate_eip" {
		3  |   count = local.is-production ? 6 : 3
		4  |   vpc   = true
		5  | 
		6  |   lifecycle {
		7  |     prevent_destroy = true
		8  |   }
		9  | 
		10 |   tags = merge(local.tags,
		11 |     { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
		12 |   )
		13 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   name        = "ftp-s3-${local.environment}-aws-key"
		5  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		6  | 
		7  |   tags = merge(local.tags,
		8  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		9  |   )
		10 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
	File: /ccms-secrets.tf:12-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
		13 |   name        = "ses-smtp-credentials"
		14 |   description = "SMTP credentials for Postfix to send messages through SES."
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = "ses-smtp-credentials-${local.environment}" }
		18 |   )
		19 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /ccms-sns.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name        = "support_email_account"
		4 |   description = "email address of the support account for cw alerts"
		5 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:
  23:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:
  24:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:
  25:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:
  28:     smtp_fqdn = "${local.application_data.accounts[local.environment].ses_domain_identity}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs

*****************************

Running Trivy in terraform/environments/ccms-ebs
2024-08-09T14:23:39Z	INFO	[db] Need to update DB
2024-08-09T14:23:39Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-09T14:23:42Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-09T14:23:42Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-09T14:23:42Z	INFO	Need to update the built-in policies
2024-08-09T14:23:42Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-09T14:23:42Z	INFO	[secret] Secret scanning is enabled
2024-08-09T14:23:42Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-09T14:23:42Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-09T14:23:45Z	INFO	Number of language-specific files	num=0
2024-08-09T14:23:45Z	INFO	Detected config files	num=33

ccms-ec2-clamav-sg.tf (terraform)
=================================
Tests: 5 (SUCCESSES: 2, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-clamav-sg.tf:65
   via ccms-ec2-clamav-sg.tf:58-66 (aws_security_group_rule.egress_traffic_clamav_22)
────────────────────────────────────────
  58   resource "aws_security_group_rule" "egress_traffic_clamav_22" {
  59     security_group_id = aws_security_group.ec2_sg_clamav.id
  60     type              = "egress"
  61     description       = "SSH"
  62     protocol          = "TCP"
  63     from_port         = 22
  64     to_port           = 22
  65 [   cidr_blocks       = ["0.0.0.0/0"]
  66   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-clamav-sg.tf:53
   via ccms-ec2-clamav-sg.tf:46-54 (aws_security_group_rule.egress_traffic_clamav_3310)
────────────────────────────────────────
  46   resource "aws_security_group_rule" "egress_traffic_clamav_3310" {
  47     security_group_id = aws_security_group.ec2_sg_clamav.id
  48     type              = "egress"
  49     description       = "ClamAV"
  50     protocol          = "TCP"
  51     from_port         = 3310
  52     to_port           = 3310
  53 [   cidr_blocks       = ["0.0.0.0/0"]
  54   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-clamav-sg.tf:77
   via ccms-ec2-clamav-sg.tf:70-78 (aws_security_group_rule.egress_traffic_clamav_443)
────────────────────────────────────────
  70   resource "aws_security_group_rule" "egress_traffic_clamav_443" {
  71     security_group_id = aws_security_group.ec2_sg_clamav.id
  72     type              = "egress"
  73     description       = "HTTPS"
  74     protocol          = "TCP"
  75     from_port         = 443
  76     to_port           = 443
  77 [   cidr_blocks       = ["0.0.0.0/0"]
  78   }
────────────────────────────────────────



ccms-ec2-ftp-sg.tf (terraform)
==============================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-ftp-sg.tf:79
   via ccms-ec2-ftp-sg.tf:72-80 (aws_security_group_rule.egress_traffic_ftp_22)
────────────────────────────────────────
  72   resource "aws_security_group_rule" "egress_traffic_ftp_22" {
  73     security_group_id = aws_security_group.ec2_sg_ftp.id
  74     type              = "egress"
  75     description       = "SSH"
  76     protocol          = "TCP"
  77     from_port         = 22
  78     to_port           = 22
  79 [   cidr_blocks       = ["0.0.0.0/0"]
  80   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-ftp-sg.tf:91
   via ccms-ec2-ftp-sg.tf:84-92 (aws_security_group_rule.egress_traffic_ftp_443)
────────────────────────────────────────
  84   resource "aws_security_group_rule" "egress_traffic_ftp_443" {
  85     security_group_id = aws_security_group.ec2_sg_ftp.id
  86     type              = "egress"
  87     description       = "HTTPS"
  88     protocol          = "TCP"
  89     from_port         = 443
  90     to_port           = 443
  91 [   cidr_blocks       = ["0.0.0.0/0"]
  92   }
────────────────────────────────────────



ccms-ec2-mailrelay-sg.tf (terraform)
====================================
Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-mailrelay-sg.tf:51
   via ccms-ec2-mailrelay-sg.tf:44-52 (aws_security_group_rule.egress_traffic_mailrelay_443)
────────────────────────────────────────
  44   resource "aws_security_group_rule" "egress_traffic_mailrelay_443" {
  45     security_group_id = aws_security_group.ec2_sg_mailrelay.id
  46     type              = "egress"
  47     description       = "HTTPS"
  48     protocol          = "TCP"
  49     from_port         = 443
  50     to_port           = 443
  51 [   cidr_blocks       = ["0.0.0.0/0"]
  52   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-mailrelay-sg.tf:63
   via ccms-ec2-mailrelay-sg.tf:56-64 (aws_security_group_rule.egress_traffic_mailrelay_587)
────────────────────────────────────────
  56   resource "aws_security_group_rule" "egress_traffic_mailrelay_587" {
  57     security_group_id = aws_security_group.ec2_sg_mailrelay.id
  58     type              = "egress"
  59     description       = "SES"
  60     protocol          = "TCP"
  61     from_port         = 587
  62     to_port           = 587
  63 [   cidr_blocks       = ["0.0.0.0/0"]
  64   }
────────────────────────────────────────



ccms-ec2-oracle_accessgate-sg.tf (terraform)
============================================
Tests: 26 (SUCCESSES: 12, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 0, CRITICAL: 14)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:325
   via ccms-ec2-oracle_accessgate-sg.tf:318-326 (aws_security_group_rule.egress_traffic_accessgate_10401)
────────────────────────────────────────
 318   resource "aws_security_group_rule" "egress_traffic_accessgate_10401" {
 319     security_group_id = aws_security_group.ec2_sg_accessgate.id
 320     type              = "egress"
 321     description       = "Oracle"
 322     protocol          = "TCP"
 323     from_port         = 10401
 324     to_port           = 10401
 325 [   cidr_blocks       = ["0.0.0.0/0"]
 326   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:253
   via ccms-ec2-oracle_accessgate-sg.tf:246-254 (aws_security_group_rule.egress_traffic_accessgate_1389)
────────────────────────────────────────
 246   resource "aws_security_group_rule" "egress_traffic_accessgate_1389" {
 247     security_group_id = aws_security_group.ec2_sg_accessgate.id
 248     type              = "egress"
 249     description       = "ORACLE LDAP"
 250     protocol          = "TCP"
 251     from_port         = 1389
 252     to_port           = 1389
 253 [   cidr_blocks       = ["0.0.0.0/0"]
 254   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:265
   via ccms-ec2-oracle_accessgate-sg.tf:258-266 (aws_security_group_rule.egress_traffic_accessgate_152x)
────────────────────────────────────────
 258   resource "aws_security_group_rule" "egress_traffic_accessgate_152x" {
 259     security_group_id = aws_security_group.ec2_sg_accessgate.id
 260     type              = "egress"
 261     description       = "ORACLE Net Listener"
 262     protocol          = "TCP"
 263     from_port         = 1521
 264     to_port           = 1522
 265 [   cidr_blocks       = ["0.0.0.0/0"]
 266   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:313
   via ccms-ec2-oracle_accessgate-sg.tf:306-314 (aws_security_group_rule.egress_traffic_accessgate_1636)
────────────────────────────────────────
 306   resource "aws_security_group_rule" "egress_traffic_accessgate_1636" {
 307     security_group_id = aws_security_group.ec2_sg_accessgate.id
 308     type              = "egress"
 309     description       = "Oracle LDAP SSL"
 310     protocol          = "TCP"
 311     from_port         = 1636
 312     to_port           = 1636
 313 [   cidr_blocks       = ["0.0.0.0/0"]
 314   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:241
   via ccms-ec2-oracle_accessgate-sg.tf:234-242 (aws_security_group_rule.egress_traffic_accessgate_22)
────────────────────────────────────────
 234   resource "aws_security_group_rule" "egress_traffic_accessgate_22" {
 235     security_group_id = aws_security_group.ec2_sg_accessgate.id
 236     type              = "egress"
 237     description       = "SSH"
 238     protocol          = "TCP"
 239     from_port         = 22
 240     to_port           = 22
 241 [   cidr_blocks       = ["0.0.0.0/0"]
 242   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:229
   via ccms-ec2-oracle_accessgate-sg.tf:222-230 (aws_security_group_rule.egress_traffic_accessgate_2x)
────────────────────────────────────────
 222   resource "aws_security_group_rule" "egress_traffic_accessgate_2x" {
 223     security_group_id = aws_security_group.ec2_sg_accessgate.id
 224     type              = "egress"
 225     description       = "FTP"
 226     protocol          = "TCP"
 227     from_port         = 20
 228     to_port           = 21
 229 [   cidr_blocks       = ["0.0.0.0/0"]
 230   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:217
   via ccms-ec2-oracle_accessgate-sg.tf:210-218 (aws_security_group_rule.egress_traffic_accessgate_443)
────────────────────────────────────────
 210   resource "aws_security_group_rule" "egress_traffic_accessgate_443" {
 211     security_group_id = aws_security_group.ec2_sg_accessgate.id
 212     type              = "egress"
 213     description       = "HTTPS"
 214     protocol          = "TCP"
 215     from_port         = 443
 216     to_port           = 443
 217 [   cidr_blocks       = ["0.0.0.0/0"]
 218   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:361
   via ccms-ec2-oracle_accessgate-sg.tf:354-362 (aws_security_group_rule.egress_traffic_accessgate_4443)
────────────────────────────────────────
 354   resource "aws_security_group_rule" "egress_traffic_accessgate_4443" {
 355     security_group_id = aws_security_group.ec2_sg_accessgate.id
 356     type              = "egress"
 357     description       = "Oracle HTTPS"
 358     protocol          = "TCP"
 359     from_port         = 4443
 360     to_port           = 4444
 361 [   cidr_blocks       = ["0.0.0.0/0"]
 362   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:337
   via ccms-ec2-oracle_accessgate-sg.tf:330-338 (aws_security_group_rule.egress_traffic_accessgate_50000)
────────────────────────────────────────
 330   resource "aws_security_group_rule" "egress_traffic_accessgate_50000" {
 331     security_group_id = aws_security_group.ec2_sg_accessgate.id
 332     type              = "egress"
 333     description       = "Oracle"
 334     protocol          = "TCP"
 335     from_port         = 50000
 336     to_port           = 51000
 337 [   cidr_blocks       = ["0.0.0.0/0"]
 338   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:277
   via ccms-ec2-oracle_accessgate-sg.tf:270-278 (aws_security_group_rule.egress_traffic_accessgate_5101)
────────────────────────────────────────
 270   resource "aws_security_group_rule" "egress_traffic_accessgate_5101" {
 271     security_group_id = aws_security_group.ec2_sg_accessgate.id
 272     type              = "egress"
 273     description       = "Oracle"
 274     protocol          = "TCP"
 275     from_port         = 5101
 276     to_port           = 5101
 277 [   cidr_blocks       = ["0.0.0.0/0"]
 278   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:289
   via ccms-ec2-oracle_accessgate-sg.tf:282-290 (aws_security_group_rule.egress_traffic_accessgate_5401)
────────────────────────────────────────
 282   resource "aws_security_group_rule" "egress_traffic_accessgate_5401" {
 283     security_group_id = aws_security_group.ec2_sg_accessgate.id
 284     type              = "egress"
 285     description       = "Oracle"
 286     protocol          = "TCP"
 287     from_port         = 5401
 288     to_port           = 5401
 289 [   cidr_blocks       = ["0.0.0.0/0"]
 290   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:301
   via ccms-ec2-oracle_accessgate-sg.tf:294-302 (aws_security_group_rule.egress_traffic_accessgate_5575)
────────────────────────────────────────
 294   resource "aws_security_group_rule" "egress_traffic_accessgate_5575" {
 295     security_group_id = aws_security_group.ec2_sg_accessgate.id
 296     type              = "egress"
 297     description       = "Oracle"
 298     protocol          = "TCP"
 299     from_port         = 5575
 300     to_port           = 5575
 301 [   cidr_blocks       = ["0.0.0.0/0"]
 302   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:205
   via ccms-ec2-oracle_accessgate-sg.tf:198-206 (aws_security_group_rule.egress_traffic_accessgate_80)
────────────────────────────────────────
 198   resource "aws_security_group_rule" "egress_traffic_accessgate_80" {
 199     security_group_id = aws_security_group.ec2_sg_accessgate.id
 200     type              = "egress"
 201     description       = "Oracle HTTPs"
 202     protocol          = "TCP"
 203     from_port         = 80
 204     to_port           = 80
 205 [   cidr_blocks       = ["0.0.0.0/0"]
 206   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_accessgate-sg.tf:349
   via ccms-ec2-oracle_accessgate-sg.tf:342-350 (aws_security_group_rule.egress_traffic_accessgate_800x)
────────────────────────────────────────
 342   resource "aws_security_group_rule" "egress_traffic_accessgate_800x" {
 343     security_group_id = aws_security_group.ec2_sg_accessgate.id
 344     type              = "egress"
 345     description       = "Oracle HTTP"
 346     protocol          = "TCP"
 347     from_port         = 8000
 348     to_port           = 8005
 349 [   cidr_blocks       = ["0.0.0.0/0"]
 350   }
────────────────────────────────────────



ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2 │   count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4 │   ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb-sg.tf (terraform)
==============================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb-sg.tf:38
   via ccms-ec2-oracle_ebs_apps-alb-sg.tf:31-39 (aws_security_group_rule.egress_traffic_ebslb_80)
────────────────────────────────────────
  31   resource "aws_security_group_rule" "egress_traffic_ebslb_80" {
  32     security_group_id = aws_security_group.ec2_sg_ebsapps.id
  33     type              = "egress"
  34     description       = "All"
  35     protocol          = "TCP"
  36     from_port         = 0
  37     to_port           = 0
  38 [   cidr_blocks       = ["0.0.0.0/0"]
  39   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb-sg.tf:23
   via ccms-ec2-oracle_ebs_apps-alb-sg.tf:16-24 (aws_security_group_rule.ingress_traffic_ebslb_443)
────────────────────────────────────────
  16   resource "aws_security_group_rule" "ingress_traffic_ebslb_443" {
  17     security_group_id = aws_security_group.sg_ebsapps_lb.id
  18     type              = "ingress"
  19     description       = "HTTPS"
  20     protocol          = "TCP"
  21     from_port         = 443
  22     to_port           = 443
  23 [   cidr_blocks       = ["0.0.0.0/0"]
  24   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests: 4 (SUCCESSES: 2, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1 ┌ resource "aws_lb" "ebsapps_lb" {
   2 │   name               = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
   3 │   internal           = false
   4 │   load_balancer_type = "application"
   5 │   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6 │   subnets            = data.aws_subnets.shared-public.ids
   78 │   enable_deletion_protection = true
   9 └ 
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-alb.tf:3
   via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
   1   resource "aws_lb" "ebsapps_lb" {
   .   
   3 [   internal           = false
  ..   
  19   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-nlb.tf:18
   via ccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "ebsapps_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps-sg.tf (terraform)
==========================================
Tests: 26 (SUCCESSES: 12, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 0, CRITICAL: 14)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:325
   via ccms-ec2-oracle_ebs_apps-sg.tf:318-326 (aws_security_group_rule.egress_traffic_ebsapps_10401)
────────────────────────────────────────
 318   resource "aws_security_group_rule" "egress_traffic_ebsapps_10401" {
 319     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 320     type              = "egress"
 321     description       = "Oracle"
 322     protocol          = "TCP"
 323     from_port         = 10401
 324     to_port           = 10401
 325 [   cidr_blocks       = ["0.0.0.0/0"]
 326   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:253
   via ccms-ec2-oracle_ebs_apps-sg.tf:246-254 (aws_security_group_rule.egress_traffic_ebsapps_1389)
────────────────────────────────────────
 246   resource "aws_security_group_rule" "egress_traffic_ebsapps_1389" {
 247     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 248     type              = "egress"
 249     description       = "ORACLE LDAP"
 250     protocol          = "TCP"
 251     from_port         = 1389
 252     to_port           = 1389
 253 [   cidr_blocks       = ["0.0.0.0/0"]
 254   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:265
   via ccms-ec2-oracle_ebs_apps-sg.tf:258-266 (aws_security_group_rule.egress_traffic_ebsapps_152x)
────────────────────────────────────────
 258   resource "aws_security_group_rule" "egress_traffic_ebsapps_152x" {
 259     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 260     type              = "egress"
 261     description       = "ORACLE Net Listener"
 262     protocol          = "TCP"
 263     from_port         = 1521
 264     to_port           = 1522
 265 [   cidr_blocks       = ["0.0.0.0/0"]
 266   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:313
   via ccms-ec2-oracle_ebs_apps-sg.tf:306-314 (aws_security_group_rule.egress_traffic_ebsapps_1636)
────────────────────────────────────────
 306   resource "aws_security_group_rule" "egress_traffic_ebsapps_1636" {
 307     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 308     type              = "egress"
 309     description       = "Oracle LDAP SSL"
 310     protocol          = "TCP"
 311     from_port         = 1636
 312     to_port           = 1636
 313 [   cidr_blocks       = ["0.0.0.0/0"]
 314   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:241
   via ccms-ec2-oracle_ebs_apps-sg.tf:234-242 (aws_security_group_rule.egress_traffic_ebsapps_22)
────────────────────────────────────────
 234   resource "aws_security_group_rule" "egress_traffic_ebsapps_22" {
 235     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 236     type              = "egress"
 237     description       = "SSH"
 238     protocol          = "TCP"
 239     from_port         = 22
 240     to_port           = 22
 241 [   cidr_blocks       = ["0.0.0.0/0"]
 242   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:229
   via ccms-ec2-oracle_ebs_apps-sg.tf:222-230 (aws_security_group_rule.egress_traffic_ebsapps_2x)
────────────────────────────────────────
 222   resource "aws_security_group_rule" "egress_traffic_ebsapps_2x" {
 223     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 224     type              = "egress"
 225     description       = "FTP"
 226     protocol          = "TCP"
 227     from_port         = 20
 228     to_port           = 21
 229 [   cidr_blocks       = ["0.0.0.0/0"]
 230   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:217
   via ccms-ec2-oracle_ebs_apps-sg.tf:210-218 (aws_security_group_rule.egress_traffic_ebsapps_443)
────────────────────────────────────────
 210   resource "aws_security_group_rule" "egress_traffic_ebsapps_443" {
 211     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 212     type              = "egress"
 213     description       = "HTTPS"
 214     protocol          = "TCP"
 215     from_port         = 443
 216     to_port           = 443
 217 [   cidr_blocks       = ["0.0.0.0/0"]
 218   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:361
   via ccms-ec2-oracle_ebs_apps-sg.tf:354-362 (aws_security_group_rule.egress_traffic_ebsapps_4443)
────────────────────────────────────────
 354   resource "aws_security_group_rule" "egress_traffic_ebsapps_4443" {
 355     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 356     type              = "egress"
 357     description       = "Oracle HTTPS"
 358     protocol          = "TCP"
 359     from_port         = 4443
 360     to_port           = 4444
 361 [   cidr_blocks       = ["0.0.0.0/0"]
 362   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:337
   via ccms-ec2-oracle_ebs_apps-sg.tf:330-338 (aws_security_group_rule.egress_traffic_ebsapps_50000)
────────────────────────────────────────
 330   resource "aws_security_group_rule" "egress_traffic_ebsapps_50000" {
 331     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 332     type              = "egress"
 333     description       = "Oracle"
 334     protocol          = "TCP"
 335     from_port         = 50000
 336     to_port           = 51000
 337 [   cidr_blocks       = ["0.0.0.0/0"]
 338   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:277
   via ccms-ec2-oracle_ebs_apps-sg.tf:270-278 (aws_security_group_rule.egress_traffic_ebsapps_5101)
────────────────────────────────────────
 270   resource "aws_security_group_rule" "egress_traffic_ebsapps_5101" {
 271     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 272     type              = "egress"
 273     description       = "Oracle"
 274     protocol          = "TCP"
 275     from_port         = 5101
 276     to_port           = 5101
 277 [   cidr_blocks       = ["0.0.0.0/0"]
 278   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:289
   via ccms-ec2-oracle_ebs_apps-sg.tf:282-290 (aws_security_group_rule.egress_traffic_ebsapps_5401)
────────────────────────────────────────
 282   resource "aws_security_group_rule" "egress_traffic_ebsapps_5401" {
 283     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 284     type              = "egress"
 285     description       = "Oracle"
 286     protocol          = "TCP"
 287     from_port         = 5401
 288     to_port           = 5401
 289 [   cidr_blocks       = ["0.0.0.0/0"]
 290   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:301
   via ccms-ec2-oracle_ebs_apps-sg.tf:294-302 (aws_security_group_rule.egress_traffic_ebsapps_5575)
────────────────────────────────────────
 294   resource "aws_security_group_rule" "egress_traffic_ebsapps_5575" {
 295     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 296     type              = "egress"
 297     description       = "Oracle"
 298     protocol          = "TCP"
 299     from_port         = 5575
 300     to_port           = 5575
 301 [   cidr_blocks       = ["0.0.0.0/0"]
 302   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:205
   via ccms-ec2-oracle_ebs_apps-sg.tf:198-206 (aws_security_group_rule.egress_traffic_ebsapps_80)
────────────────────────────────────────
 198   resource "aws_security_group_rule" "egress_traffic_ebsapps_80" {
 199     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 200     type              = "egress"
 201     description       = "Oracle HTTPs"
 202     protocol          = "TCP"
 203     from_port         = 80
 204     to_port           = 80
 205 [   cidr_blocks       = ["0.0.0.0/0"]
 206   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps-sg.tf:349
   via ccms-ec2-oracle_ebs_apps-sg.tf:342-350 (aws_security_group_rule.egress_traffic_ebsapps_800x)
────────────────────────────────────────
 342   resource "aws_security_group_rule" "egress_traffic_ebsapps_800x" {
 343     security_group_id = aws_security_group.ec2_sg_ebsapps.id
 344     type              = "egress"
 345     description       = "Oracle HTTP"
 346     protocol          = "TCP"
 347     from_port         = 8000
 348     to_port           = 8005
 349 [   cidr_blocks       = ["0.0.0.0/0"]
 350   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_ebsapps" {
   2 │   count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4 │   ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-ec2-oracle_ebs_db-sg.tf (terraform)
========================================
Tests: 27 (SUCCESSES: 12, FAILURES: 15, EXCEPTIONS: 0)
Failures: 15 (HIGH: 0, CRITICAL: 15)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:327
   via ccms-ec2-oracle_ebs_db-sg.tf:320-328 (aws_security_group_rule.egress_traffic_ebsdb_10401)
────────────────────────────────────────
 320   resource "aws_security_group_rule" "egress_traffic_ebsdb_10401" {
 321     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 322     type              = "egress"
 323     description       = "Oracle"
 324     protocol          = "TCP"
 325     from_port         = 10401
 326     to_port           = 10401
 327 [   cidr_blocks       = ["0.0.0.0/0"]
 328   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:255
   via ccms-ec2-oracle_ebs_db-sg.tf:248-256 (aws_security_group_rule.egress_traffic_ebsdb_1389)
────────────────────────────────────────
 248   resource "aws_security_group_rule" "egress_traffic_ebsdb_1389" {
 249     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 250     type              = "egress"
 251     description       = "ORACLE LDAP"
 252     protocol          = "TCP"
 253     from_port         = 1389
 254     to_port           = 1389
 255 [   cidr_blocks       = ["0.0.0.0/0"]
 256   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:267
   via ccms-ec2-oracle_ebs_db-sg.tf:260-268 (aws_security_group_rule.egress_traffic_ebsdb_152x)
────────────────────────────────────────
 260   resource "aws_security_group_rule" "egress_traffic_ebsdb_152x" {
 261     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 262     type              = "egress"
 263     description       = "ORACLE Net Listener"
 264     protocol          = "TCP"
 265     from_port         = 1521
 266     to_port           = 1522
 267 [   cidr_blocks       = ["0.0.0.0/0"]
 268   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:315
   via ccms-ec2-oracle_ebs_db-sg.tf:308-316 (aws_security_group_rule.egress_traffic_ebsdb_1636)
────────────────────────────────────────
 308   resource "aws_security_group_rule" "egress_traffic_ebsdb_1636" {
 309     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 310     type              = "egress"
 311     description       = "Oracle LDAP SSL"
 312     protocol          = "TCP"
 313     from_port         = 1636
 314     to_port           = 1636
 315 [   cidr_blocks       = ["0.0.0.0/0"]
 316   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:243
   via ccms-ec2-oracle_ebs_db-sg.tf:236-244 (aws_security_group_rule.egress_traffic_ebsdb_22)
────────────────────────────────────────
 236   resource "aws_security_group_rule" "egress_traffic_ebsdb_22" {
 237     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 238     type              = "egress"
 239     description       = "SSH"
 240     protocol          = "TCP"
 241     from_port         = 22
 242     to_port           = 22
 243 [   cidr_blocks       = ["0.0.0.0/0"]
 244   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:376
   via ccms-ec2-oracle_ebs_db-sg.tf:368-377 (aws_security_group_rule.egress_traffic_ebsdb_2525[0])
────────────────────────────────────────
 368   resource "aws_security_group_rule" "egress_traffic_ebsdb_2525" {
 369     count             = local.is-production ? 0 : 1
 370     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 371     type              = "egress"
 372     description       = "SMTP"
 373     protocol          = "TCP"
 374     from_port         = 2525
 375     to_port           = 2525
 376 [   cidr_blocks       = ["0.0.0.0/0"]
 377   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:231
   via ccms-ec2-oracle_ebs_db-sg.tf:224-232 (aws_security_group_rule.egress_traffic_ebsdb_2x)
────────────────────────────────────────
 224   resource "aws_security_group_rule" "egress_traffic_ebsdb_2x" {
 225     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 226     type              = "egress"
 227     description       = "FTP"
 228     protocol          = "TCP"
 229     from_port         = 20
 230     to_port           = 21
 231 [   cidr_blocks       = ["0.0.0.0/0"]
 232   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:219
   via ccms-ec2-oracle_ebs_db-sg.tf:212-220 (aws_security_group_rule.egress_traffic_ebsdb_443)
────────────────────────────────────────
 212   resource "aws_security_group_rule" "egress_traffic_ebsdb_443" {
 213     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 214     type              = "egress"
 215     description       = "HTTPS"
 216     protocol          = "TCP"
 217     from_port         = 443
 218     to_port           = 443
 219 [   cidr_blocks       = ["0.0.0.0/0"]
 220   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:363
   via ccms-ec2-oracle_ebs_db-sg.tf:356-364 (aws_security_group_rule.egress_traffic_ebsdb_4443)
────────────────────────────────────────
 356   resource "aws_security_group_rule" "egress_traffic_ebsdb_4443" {
 357     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 358     type              = "egress"
 359     description       = "Oracle HTTPS"
 360     protocol          = "TCP"
 361     from_port         = 4443
 362     to_port           = 4444
 363 [   cidr_blocks       = ["0.0.0.0/0"]
 364   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:339
   via ccms-ec2-oracle_ebs_db-sg.tf:332-340 (aws_security_group_rule.egress_traffic_ebsdb_50000)
────────────────────────────────────────
 332   resource "aws_security_group_rule" "egress_traffic_ebsdb_50000" {
 333     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 334     type              = "egress"
 335     description       = "Oracle"
 336     protocol          = "TCP"
 337     from_port         = 50000
 338     to_port           = 51000
 339 [   cidr_blocks       = ["0.0.0.0/0"]
 340   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:279
   via ccms-ec2-oracle_ebs_db-sg.tf:272-280 (aws_security_group_rule.egress_traffic_ebsdb_5101)
────────────────────────────────────────
 272   resource "aws_security_group_rule" "egress_traffic_ebsdb_5101" {
 273     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 274     type              = "egress"
 275     description       = "Oracle"
 276     protocol          = "TCP"
 277     from_port         = 5101
 278     to_port           = 5101
 279 [   cidr_blocks       = ["0.0.0.0/0"]
 280   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:291
   via ccms-ec2-oracle_ebs_db-sg.tf:284-292 (aws_security_group_rule.egress_traffic_ebsdb_5401)
────────────────────────────────────────
 284   resource "aws_security_group_rule" "egress_traffic_ebsdb_5401" {
 285     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 286     type              = "egress"
 287     description       = "Oracle"
 288     protocol          = "TCP"
 289     from_port         = 5401
 290     to_port           = 5401
 291 [   cidr_blocks       = ["0.0.0.0/0"]
 292   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:303
   via ccms-ec2-oracle_ebs_db-sg.tf:296-304 (aws_security_group_rule.egress_traffic_ebsdb_5575)
────────────────────────────────────────
 296   resource "aws_security_group_rule" "egress_traffic_ebsdb_5575" {
 297     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 298     type              = "egress"
 299     description       = "Oracle"
 300     protocol          = "TCP"
 301     from_port         = 5575
 302     to_port           = 5575
 303 [   cidr_blocks       = ["0.0.0.0/0"]
 304   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:207
   via ccms-ec2-oracle_ebs_db-sg.tf:200-208 (aws_security_group_rule.egress_traffic_ebsdb_80)
────────────────────────────────────────
 200   resource "aws_security_group_rule" "egress_traffic_ebsdb_80" {
 201     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 202     type              = "egress"
 203     description       = "Oracle HTTPs"
 204     protocol          = "TCP"
 205     from_port         = 80
 206     to_port           = 80
 207 [   cidr_blocks       = ["0.0.0.0/0"]
 208   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db-sg.tf:351
   via ccms-ec2-oracle_ebs_db-sg.tf:344-352 (aws_security_group_rule.egress_traffic_ebsdb_800x)
────────────────────────────────────────
 344   resource "aws_security_group_rule" "egress_traffic_ebsdb_800x" {
 345     security_group_id = aws_security_group.ec2_sg_ebsdb.id
 346     type              = "egress"
 347     description       = "Oracle HTTP"
 348     protocol          = "TCP"
 349     from_port         = 8000
 350     to_port           = 8005
 351 [   cidr_blocks       = ["0.0.0.0/0"]
 352   }
────────────────────────────────────────



ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests: 16 (SUCCESSES: 15, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
   2 │   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4 │   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5 │   key_name                    = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
   8 │   monitoring                  = true
   9 └   ebs_optimized               = false
  ..   
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb-sg.tf (terraform)
=============================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb-sg.tf:39
   via ccms-ec2-oracle_webgate-alb-sg.tf:32-40 (aws_security_group_rule.egress_traffic_webgatelb_80)
────────────────────────────────────────
  32   resource "aws_security_group_rule" "egress_traffic_webgatelb_80" {
  33     security_group_id = aws_security_group.sg_webgate_lb.id
  34     type              = "egress"
  35     description       = "All"
  36     protocol          = "TCP"
  37     from_port         = 0
  38     to_port           = 0
  39 [   cidr_blocks       = ["0.0.0.0/0"]
  40   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb-sg.tf:24
   via ccms-ec2-oracle_webgate-alb-sg.tf:17-25 (aws_security_group_rule.ingress_traffic_webgatelb_443)
────────────────────────────────────────
  17   resource "aws_security_group_rule" "ingress_traffic_webgatelb_443" {
  18     security_group_id = aws_security_group.sg_webgate_lb.id
  19     type              = "ingress"
  20     description       = "HTTPS"
  21     protocol          = "TCP"
  22     from_port         = 443
  23     to_port           = 443
  24 [   cidr_blocks       = ["0.0.0.0/0"]
  25   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests: 8 (SUCCESSES: 5, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
   1 ┌ resource "aws_lb" "webgate_lb" {
   2 │   count              = local.is-production ? 1 : 1
   3 │   name               = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
   4 │   internal           = true
   5 │   load_balancer_type = "application"
   6 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
   7 │   subnets            = data.aws_subnets.shared-private.ids
   89 └   enable_deletion_protection = true
  ..   
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
  62 ┌ resource "aws_lb" "webgate_public_lb" {
  63 │   name               = lower(format("public-alb-webgate"))
  64 │   internal           = false
  65 │   load_balancer_type = "application"
  66 │   security_groups    = [aws_security_group.sg_webgate_lb.id]
  67 │   subnets            = data.aws_subnets.shared-public.ids
  6869 │   enable_deletion_protection = true
  70 └ 
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-alb.tf:64
   via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
  62   resource "aws_lb" "webgate_public_lb" {
  ..   
  64 [   internal           = false
  ..   
  80   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 ccms-ec2-oracle_webgate-nlb.tf:18
   via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
  16   resource "aws_lb" "webgate_nlb" {
  ..   
  18 [   internal           = false
  ..   
  42   }
────────────────────────────────────────



ccms-ec2-oracle_webgate-sg.tf (terraform)
=========================================
Tests: 26 (SUCCESSES: 12, FAILURES: 14, EXCEPTIONS: 0)
Failures: 14 (HIGH: 0, CRITICAL: 14)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:326
   via ccms-ec2-oracle_webgate-sg.tf:319-327 (aws_security_group_rule.egress_traffic_webgate_10401)
────────────────────────────────────────
 319   resource "aws_security_group_rule" "egress_traffic_webgate_10401" {
 320     security_group_id = aws_security_group.ec2_sg_webgate.id
 321     type              = "egress"
 322     description       = "Oracle"
 323     protocol          = "TCP"
 324     from_port         = 10401
 325     to_port           = 10401
 326 [   cidr_blocks       = ["0.0.0.0/0"]
 327   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:254
   via ccms-ec2-oracle_webgate-sg.tf:247-255 (aws_security_group_rule.egress_traffic_webgate_1389)
────────────────────────────────────────
 247   resource "aws_security_group_rule" "egress_traffic_webgate_1389" {
 248     security_group_id = aws_security_group.ec2_sg_webgate.id
 249     type              = "egress"
 250     description       = "ORACLE LDAP"
 251     protocol          = "TCP"
 252     from_port         = 1389
 253     to_port           = 1389
 254 [   cidr_blocks       = ["0.0.0.0/0"]
 255   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:266
   via ccms-ec2-oracle_webgate-sg.tf:259-267 (aws_security_group_rule.egress_traffic_webgate_152x)
────────────────────────────────────────
 259   resource "aws_security_group_rule" "egress_traffic_webgate_152x" {
 260     security_group_id = aws_security_group.ec2_sg_webgate.id
 261     type              = "egress"
 262     description       = "ORACLE Net Listener"
 263     protocol          = "TCP"
 264     from_port         = 1521
 265     to_port           = 1522
 266 [   cidr_blocks       = ["0.0.0.0/0"]
 267   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:314
   via ccms-ec2-oracle_webgate-sg.tf:307-315 (aws_security_group_rule.egress_traffic_webgate_1636)
────────────────────────────────────────
 307   resource "aws_security_group_rule" "egress_traffic_webgate_1636" {
 308     security_group_id = aws_security_group.ec2_sg_webgate.id
 309     type              = "egress"
 310     description       = "Oracle LDAP SSL"
 311     protocol          = "TCP"
 312     from_port         = 1636
 313     to_port           = 1636
 314 [   cidr_blocks       = ["0.0.0.0/0"]
 315   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:242
   via ccms-ec2-oracle_webgate-sg.tf:235-243 (aws_security_group_rule.egress_traffic_webgate_22)
────────────────────────────────────────
 235   resource "aws_security_group_rule" "egress_traffic_webgate_22" {
 236     security_group_id = aws_security_group.ec2_sg_webgate.id
 237     type              = "egress"
 238     description       = "SSH"
 239     protocol          = "TCP"
 240     from_port         = 22
 241     to_port           = 22
 242 [   cidr_blocks       = ["0.0.0.0/0"]
 243   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:230
   via ccms-ec2-oracle_webgate-sg.tf:223-231 (aws_security_group_rule.egress_traffic_webgate_2x)
────────────────────────────────────────
 223   resource "aws_security_group_rule" "egress_traffic_webgate_2x" {
 224     security_group_id = aws_security_group.ec2_sg_webgate.id
 225     type              = "egress"
 226     description       = "FTP"
 227     protocol          = "TCP"
 228     from_port         = 20
 229     to_port           = 21
 230 [   cidr_blocks       = ["0.0.0.0/0"]
 231   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:218
   via ccms-ec2-oracle_webgate-sg.tf:211-219 (aws_security_group_rule.egress_traffic_webgate_443)
────────────────────────────────────────
 211   resource "aws_security_group_rule" "egress_traffic_webgate_443" {
 212     security_group_id = aws_security_group.ec2_sg_webgate.id
 213     type              = "egress"
 214     description       = "HTTPS"
 215     protocol          = "TCP"
 216     from_port         = 443
 217     to_port           = 443
 218 [   cidr_blocks       = ["0.0.0.0/0"]
 219   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:362
   via ccms-ec2-oracle_webgate-sg.tf:355-363 (aws_security_group_rule.egress_traffic_webgate_4443)
────────────────────────────────────────
 355   resource "aws_security_group_rule" "egress_traffic_webgate_4443" {
 356     security_group_id = aws_security_group.ec2_sg_webgate.id
 357     type              = "egress"
 358     description       = "Oracle HTTPS"
 359     protocol          = "TCP"
 360     from_port         = 4443
 361     to_port           = 4444
 362 [   cidr_blocks       = ["0.0.0.0/0"]
 363   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:338
   via ccms-ec2-oracle_webgate-sg.tf:331-339 (aws_security_group_rule.egress_traffic_webgate_50000)
────────────────────────────────────────
 331   resource "aws_security_group_rule" "egress_traffic_webgate_50000" {
 332     security_group_id = aws_security_group.ec2_sg_webgate.id
 333     type              = "egress"
 334     description       = "Oracle"
 335     protocol          = "TCP"
 336     from_port         = 50000
 337     to_port           = 51000
 338 [   cidr_blocks       = ["0.0.0.0/0"]
 339   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:278
   via ccms-ec2-oracle_webgate-sg.tf:271-279 (aws_security_group_rule.egress_traffic_webgate_5101)
────────────────────────────────────────
 271   resource "aws_security_group_rule" "egress_traffic_webgate_5101" {
 272     security_group_id = aws_security_group.ec2_sg_webgate.id
 273     type              = "egress"
 274     description       = "Oracle"
 275     protocol          = "TCP"
 276     from_port         = 5101
 277     to_port           = 5101
 278 [   cidr_blocks       = ["0.0.0.0/0"]
 279   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:290
   via ccms-ec2-oracle_webgate-sg.tf:283-291 (aws_security_group_rule.egress_traffic_webgate_5401)
────────────────────────────────────────
 283   resource "aws_security_group_rule" "egress_traffic_webgate_5401" {
 284     security_group_id = aws_security_group.ec2_sg_webgate.id
 285     type              = "egress"
 286     description       = "Oracle"
 287     protocol          = "TCP"
 288     from_port         = 5401
 289     to_port           = 5401
 290 [   cidr_blocks       = ["0.0.0.0/0"]
 291   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:302
   via ccms-ec2-oracle_webgate-sg.tf:295-303 (aws_security_group_rule.egress_traffic_webgate_5575)
────────────────────────────────────────
 295   resource "aws_security_group_rule" "egress_traffic_webgate_5575" {
 296     security_group_id = aws_security_group.ec2_sg_webgate.id
 297     type              = "egress"
 298     description       = "Oracle"
 299     protocol          = "TCP"
 300     from_port         = 5575
 301     to_port           = 5575
 302 [   cidr_blocks       = ["0.0.0.0/0"]
 303   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:206
   via ccms-ec2-oracle_webgate-sg.tf:199-207 (aws_security_group_rule.egress_traffic_webgate_80)
────────────────────────────────────────
 199   resource "aws_security_group_rule" "egress_traffic_webgate_80" {
 200     security_group_id = aws_security_group.ec2_sg_webgate.id
 201     type              = "egress"
 202     description       = "Oracle HTTPs"
 203     protocol          = "TCP"
 204     from_port         = 80
 205     to_port           = 80
 206 [   cidr_blocks       = ["0.0.0.0/0"]
 207   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ccms-ec2-oracle_webgate-sg.tf:350
   via ccms-ec2-oracle_webgate-sg.tf:343-351 (aws_security_group_rule.egress_traffic_webgate_800x)
────────────────────────────────────────
 343   resource "aws_security_group_rule" "egress_traffic_webgate_800x" {
 344     security_group_id = aws_security_group.ec2_sg_webgate.id
 345     type              = "egress"
 346     description       = "Oracle HTTP"
 347     protocol          = "TCP"
 348     from_port         = 8000
 349     to_port           = 8005
 350 [   cidr_blocks       = ["0.0.0.0/0"]
 351   }
────────────────────────────────────────



ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1 ┌ resource "aws_instance" "ec2_webgate" {
   2 │   count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3 │   instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4 │   ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5 │   key_name               = local.application_data.accounts[local.environment].key_name
   6 │   vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7 │   subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9 └   monitoring                  = true
  ..   
────────────────────────────────────────



ccms-sns.tf (terraform)
=======================
Tests: 6 (SUCCESSES: 3, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ccms-sns.tf:17-20
────────────────────────────────────────
  17 ┌ resource "aws_sns_topic" "cw_alerts" {
  18 │   name = "ccms-ebs-ec2-alerts"
  19#kms_master_key_id = "alias/aws/sns"
  20 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ccms-sns.tf:51-54
────────────────────────────────────────
  51 ┌ resource "aws_sns_topic" "ddos_alarm" {
  52 │   name = format("%s_ddos_alarm", local.application_name)
  53#kms_master_key_id = "alias/aws/sns"
  54 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ccms-sns.tf:34-37
────────────────────────────────────────
  34 ┌ resource "aws_sns_topic" "s3_topic" {
  35 │   name   = "s3-event-notification-topic"
  36 │   policy = data.aws_iam_policy_document.s3_topic_policy.json
  37 └ }
────────────────────────────────────────


trivy_exitcode=1

@mmgovuk mmgovuk had a problem deploying to laa-oem-development August 9, 2024 14:39 — with GitHub Actions Error
@mmgovuk mmgovuk temporarily deployed to ccms-ebs-upgrade-development August 9, 2024 14:39 — with GitHub Actions Inactive
@mmgovuk mmgovuk temporarily deployed to ccms-ebs-upgrade-test August 9, 2024 14:39 — with GitHub Actions Inactive
@mmgovuk mmgovuk marked this pull request as ready for review August 13, 2024 09:06
@mmgovuk mmgovuk requested review from a team as code owners August 13, 2024 09:06
@mmgovuk mmgovuk merged commit c4472e8 into main Aug 13, 2024
29 of 32 checks passed
@mmgovuk mmgovuk deleted the CC-2605/ELBSecurityPolicy-upgrade branch August 13, 2024 09:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants