You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This version updates the bucket policy to deny connections where the TLS version is below 1.2. Prior to this, non-TLS connections were denied, but now less-secure TLS versions will also be denied.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Trivy will check the following folders:
terraform/environments/ccms-ebs-upgrade
Running Trivy in terraform/environments/ccms-ebs-upgrade
2024-08-16T01:09:49Z INFO [db] Need to update DB
2024-08-16T01:09:49Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T01:09:51Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T01:09:51Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T01:09:51Z INFO Need to update the built-in policies
2024-08-16T01:09:51Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T01:09:51Z INFO [secret] Secret scanning is enabled
2024-08-16T01:09:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T01:09:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T01:09:54Z INFO Number of language-specific files num=0
2024-08-16T01:09:54Z INFO Detected config files num=27
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/ccms-ebs-upgrade
*****************************
Running Checkov in terraform/environments/ccms-ebs-upgrade
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-16 01:09:56,401 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-08-16 01:09:56,402 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.1.0:None (for external modules, the --download-external-modules flag is required)
2024-08-16 01:09:56,402 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 774, Failed checks: 33, Skipped checks: 0
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.groups
File: /cloudwatch.tf:15-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
15 | resource "aws_cloudwatch_log_group" "groups" {
16 | for_each = local.application_data.cw_log_groups
17 | name = each.key
18 | retention_in_days = each.value.retention_days
19 |
20 | tags = merge(
21 | local.tags,
22 | {
23 | Name = each.key
24 | },
25 | )
26 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
File: /cloudwatch.tf:54-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_accessgate
File: /ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_accessgate
File: /ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.ebsapps_lb
File: /ec2-oracle_ebs_apps-alb.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "ebsapps_lb" {
2 | name = lower(format("lb-%s-ebsapp", local.application_name))
3 | internal = true
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 | subnets = data.aws_subnets.shared-private.ids
7 |
8 | enable_deletion_protection = true
9 |
10 | access_logs {
11 | bucket = module.s3-bucket-logging.bucket.id
12 | prefix = local.lb_log_prefix_ebsapp
13 | enabled = true
14 | }
15 |
16 | tags = merge(local.tags,
17 | { Name = lower(format("lb-%s-ebsapp", local.application_name)) }
18 | )
19 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.ebsapp_tg
File: /ec2-oracle_ebs_apps-alb.tf:38-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
38 | resource "aws_lb_target_group" "ebsapp_tg" {
39 | name = lower(format("tg-%s-ebsapp", local.application_name))
40 | port = local.application_data.accounts[local.environment].tg_apps_port
41 | protocol = "HTTP"
42 | vpc_id = data.aws_vpc.shared.id
43 | health_check {
44 | port = local.application_data.accounts[local.environment].tg_apps_port
45 | protocol = "HTTP"
46 | }
47 |
48 | stickiness {
49 | enabled = true
50 | type = "lb_cookie"
51 | cookie_duration = 3600
52 | }
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ec2-oracle_ebs_apps.tf:1-50
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ec2-oracle_ebs_apps.tf:1-50
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_oracle_conc
File: /ec2-oracle_ebs_conc.tf:1-48
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
1 | resource "aws_instance" "ec2_oracle_conc" {
2 | count = local.application_data.accounts[local.environment].conc_no_instances
3 | instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsconc
4 | ami = local.application_data.accounts[local.environment].ebsconc_ami_id
5 | key_name = local.application_data.accounts[local.environment].key_name
6 | vpc_security_group_ids = [aws_security_group.ec2_sg_ebsconc.id]
7 | subnet_id = data.aws_subnet.data_subnets_a.id
8 | monitoring = true
9 | ebs_optimized = local.application_data.accounts[local.environment].ebs_optimized
10 | associate_public_ip_address = false
11 | iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name
12 |
13 | cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsconc
14 | cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsconc
15 |
16 | # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below.
17 | #lifecycle {
18 | # ignore_changes = [ebs_block_device]
19 | #}
20 | lifecycle {
21 | ignore_changes = [
22 | cpu_core_count,
23 | ebs_block_device,
24 | ebs_optimized,
25 | user_data,
26 | user_data_replace_on_change
27 | ]
28 | }
29 | user_data_replace_on_change = false
30 | user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", {
31 | environment = "${local.environment}"
32 | hostname = "ebs"
33 | }))
34 |
35 | metadata_options {
36 | http_endpoint = "enabled"
37 | http_tokens = "required"
38 | }
39 |
40 | tags = merge(local.tags,
41 | { Name = lower(format("ec2-%s-%s-ebsconc", local.application_name, local.environment)) },
42 | { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling-ebsconc },
43 | { instance-role = local.application_data.accounts[local.environment].instance_role_ebsconc },
44 | { backup = "true" },
45 | { OracleDbLTS-ManagedInstance = "true" }
46 | )
47 | depends_on = [aws_security_group.ec2_sg_ebsconc]
48 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_oracle_conc
File: /ec2-oracle_ebs_conc.tf:1-48
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
1 | resource "aws_instance" "ec2_oracle_conc" {
2 | count = local.application_data.accounts[local.environment].conc_no_instances
3 | instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsconc
4 | ami = local.application_data.accounts[local.environment].ebsconc_ami_id
5 | key_name = local.application_data.accounts[local.environment].key_name
6 | vpc_security_group_ids = [aws_security_group.ec2_sg_ebsconc.id]
7 | subnet_id = data.aws_subnet.data_subnets_a.id
8 | monitoring = true
9 | ebs_optimized = local.application_data.accounts[local.environment].ebs_optimized
10 | associate_public_ip_address = false
11 | iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name
12 |
13 | cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsconc
14 | cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsconc
15 |
16 | # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below.
17 | #lifecycle {
18 | # ignore_changes = [ebs_block_device]
19 | #}
20 | lifecycle {
21 | ignore_changes = [
22 | cpu_core_count,
23 | ebs_block_device,
24 | ebs_optimized,
25 | user_data,
26 | user_data_replace_on_change
27 | ]
28 | }
29 | user_data_replace_on_change = false
30 | user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", {
31 | environment = "${local.environment}"
32 | hostname = "ebs"
33 | }))
34 |
35 | metadata_options {
36 | http_endpoint = "enabled"
37 | http_tokens = "required"
38 | }
39 |
40 | tags = merge(local.tags,
41 | { Name = lower(format("ec2-%s-%s-ebsconc", local.application_name, local.environment)) },
42 | { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling-ebsconc },
43 | { instance-role = local.application_data.accounts[local.environment].instance_role_ebsconc },
44 | { backup = "true" },
45 | { OracleDbLTS-ManagedInstance = "true" }
46 | )
47 | depends_on = [aws_security_group.ec2_sg_ebsconc]
48 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ec2-oracle_ebs_db.tf:1-48
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
1 | resource "aws_instance" "ec2_oracle_ebs" {
2 | instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 | #ami = data.aws_ami.oracle_db.id
4 | ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 | key_name = local.application_data.accounts[local.environment].key_name
6 | vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 | subnet_id = data.aws_subnet.data_subnets_a.id
8 | monitoring = true
9 | ebs_optimized = false
10 | associate_public_ip_address = false
11 | iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name
12 |
13 | cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsdb
14 | cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsdb
15 |
16 | # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below.
17 | #lifecycle {
18 | # ignore_changes = [ebs_block_device]
19 | #}
20 | lifecycle {
21 | ignore_changes = [
22 | cpu_core_count,
23 | ebs_block_device,
24 | ebs_optimized,
25 | user_data,
26 | user_data_replace_on_change
27 | ]
28 | }
29 | user_data_replace_on_change = false
30 | user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", {
31 | environment = "${local.environment}"
32 | hostname = "ebs"
33 | }))
34 |
35 | metadata_options {
36 | http_endpoint = "enabled"
37 | http_tokens = "required"
38 | }
39 |
40 | tags = merge(local.tags,
41 | { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) },
42 | { instance-role = local.application_data.accounts[local.environment].instance_role_ebsdb },
43 | { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling-ebsdb },
44 | { backup = "true" },
45 | { OracleDbLTS-ManagedInstance = "true" }
46 | )
47 | depends_on = [aws_security_group.ec2_sg_ebsdb]
48 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ec2-oracle_ebs_db.tf:1-48
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
1 | resource "aws_instance" "ec2_oracle_ebs" {
2 | instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 | #ami = data.aws_ami.oracle_db.id
4 | ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 | key_name = local.application_data.accounts[local.environment].key_name
6 | vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 | subnet_id = data.aws_subnet.data_subnets_a.id
8 | monitoring = true
9 | ebs_optimized = false
10 | associate_public_ip_address = false
11 | iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name
12 |
13 | cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsdb
14 | cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsdb
15 |
16 | # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below.
17 | #lifecycle {
18 | # ignore_changes = [ebs_block_device]
19 | #}
20 | lifecycle {
21 | ignore_changes = [
22 | cpu_core_count,
23 | ebs_block_device,
24 | ebs_optimized,
25 | user_data,
26 | user_data_replace_on_change
27 | ]
28 | }
29 | user_data_replace_on_change = false
30 | user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", {
31 | environment = "${local.environment}"
32 | hostname = "ebs"
33 | }))
34 |
35 | metadata_options {
36 | http_endpoint = "enabled"
37 | http_tokens = "required"
38 | }
39 |
40 | tags = merge(local.tags,
41 | { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) },
42 | { instance-role = local.application_data.accounts[local.environment].instance_role_ebsdb },
43 | { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling-ebsdb },
44 | { backup = "true" },
45 | { OracleDbLTS-ManagedInstance = "true" }
46 | )
47 | depends_on = [aws_security_group.ec2_sg_ebsdb]
48 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_lb
File: /ec2-oracle_webgate-alb.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "webgate_lb" {
2 | name = lower(format("lb-%s-webgate", local.application_name))
3 | internal = true
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.sg_webgate_lb.id]
6 | subnets = data.aws_subnets.shared-private.ids
7 |
8 | enable_deletion_protection = true
9 |
10 | access_logs {
11 | bucket = module.s3-bucket-logging.bucket.id
12 | prefix = local.lb_log_prefix_wgate_public
13 | enabled = true
14 | }
15 |
16 | tags = merge(local.tags,
17 | { Name = lower(format("lb-%s-webgate", local.application_name)) }
18 | )
19 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg
File: /ec2-oracle_webgate-alb.tf:38-49
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
38 | resource "aws_lb_target_group" "webgate_tg" {
39 | name = lower(format("tg-%s-webgate", local.application_name))
40 | port = 5401
41 | protocol = "HTTP"
42 | vpc_id = data.aws_vpc.shared.id
43 | health_check {
44 | port = 5401
45 | protocol = "HTTP"
46 | matcher = 302
47 | timeout = 10
48 | }
49 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_webgate
File: /ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_webgate
File: /ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.appshare
File: /efs.tf:1-8
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-104
1 | resource "aws_efs_file_system" "appshare" {
2 | encrypted = true
3 | throughput_mode = "bursting"
4 | performance_mode = "maxIO"
5 | tags = merge(local.tags,
6 | { Name = "appshare" }
7 | )
8 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.efs-security-group
File: /efs.tf:34-63
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
34 | resource "aws_security_group" "efs-security-group" {
35 | name_prefix = "efs-security-group"
36 | description = "allow inbound access from ebsdb and ebsconc"
37 | vpc_id = data.aws_vpc.shared.id
38 |
39 | # Allow inbound access from container instances
40 | ingress {
41 | protocol = "tcp"
42 | from_port = 2049
43 | to_port = 2049
44 | cidr_blocks = [
45 | data.aws_subnet.data_subnets_a.cidr_block,
46 | data.aws_subnet.data_subnets_b.cidr_block,
47 | data.aws_subnet.data_subnets_c.cidr_block,
48 | ]
49 | }
50 |
51 | egress {
52 | protocol = "-1"
53 | from_port = 0
54 | to_port = 0
55 | cidr_blocks = [
56 | "0.0.0.0/0",
57 | ]
58 | }
59 |
60 | tags = merge(local.tags,
61 | { Name = lower(format("sg-%s-%s-efs", local.application_name, local.environment)) }
62 | )
63 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket
File: /s3.tf:2-69
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-logging
File: /s3.tf:96-162
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-dbbackup
File: /s3.tf:186-252
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
FAILED for resource: aws_ses_configuration_set.default_configuration_set
File: /ses.tf:35-43
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365
35 | resource "aws_ses_configuration_set" "default_configuration_set" {
36 | name = "default-configuration-set"
37 |
38 | delivery_options {
39 | tls_policy = "Optional"
40 | }
41 | reputation_metrics_enabled = true
42 | sending_enabled = true
43 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /sns.tf:2-6
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | recovery_window_in_days = local.is-production ? 30 : 0
6 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.cw_alerts
File: /sns.tf:18-21
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
18 | resource "aws_sns_topic" "cw_alerts" {
19 | name = "ccms-ebs-ec2-alerts"
20 | #kms_master_key_id = "alias/aws/sns"
21 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.s3_topic
File: /sns.tf:35-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
35 | resource "aws_sns_topic" "s3_topic" {
36 | name = "s3-event-notification-topic"
37 | policy = data.aws_iam_policy_document.s3_topic_policy.json
38 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.ddos_alarm
File: /sns.tf:52-55
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
52 | resource "aws_sns_topic" "ddos_alarm" {
53 | name = format("%s_ddos_alarm", local.application_name)
54 | #kms_master_key_id = "alias/aws/sns"
55 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cw_agent_config
File: /cloudwatch.tf:28-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted
28 | resource "aws_ssm_parameter" "cw_agent_config" {
29 | description = "cloud watch agent config"
30 | name = "cloud-watch-config"
31 | type = "String"
32 | value = file("./templates/cw_agent_config.json")
33 |
34 | tags = merge(local.tags,
35 | { Name = "cw-config" }
36 | )
37 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.oracle_ec2
File: /kms.tf:1-7
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64
1 | resource "aws_kms_key" "oracle_ec2" {
2 | enable_key_rotation = true
3 |
4 | tags = merge(local.tags,
5 | { Name = "oracle_ec2" }
6 | )
7 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /sns.tf:2-6
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | recovery_window_in_days = local.is-production ? 30 : 0
6 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/ccms-ebs-upgrade
*****************************
Running tflint in terraform/environments/ccms-ebs-upgrade
Excluding the following checks: terraform_unused_declarations
2issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf line 31:31:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf line 31:31:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/ccms-ebs-upgrade
*****************************
Running Trivy in terraform/environments/ccms-ebs-upgrade
2024-08-16T01:09:49Z INFO [db] Need to update DB
2024-08-16T01:09:49Z INFO [db] Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-08-16T01:09:51Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T01:09:51Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T01:09:51Z INFO Need to update the built-in policies
2024-08-16T01:09:51Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-08-16T01:09:51Z INFO [secret] Secret scanning is enabled
2024-08-16T01:09:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T01:09:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection2024-08-16T01:09:54Z INFO Number of language-specific files num=02024-08-16T01:09:54Z INFO Detected config files num=27
ec2-oracle_accessgate-sg.tf (terraform)
=======================================
Tests:26 (SUCCESSES:12, FAILURES:14, EXCEPTIONS:0)
Failures:14 (HIGH:0, CRITICAL:14)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:325
via ec2-oracle_accessgate-sg.tf:318-326 (aws_security_group_rule.egress_traffic_accessgate_10401)
────────────────────────────────────────
318 resource"aws_security_group_rule""egress_traffic_accessgate_10401" {
319security_group_id=aws_security_group.ec2_sg_accessgate.id320type="egress"321description="Oracle"322protocol="TCP"323from_port=10401324to_port=10401325 [ cidr_blocks = ["0.0.0.0/0"]
326 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:253viaec2-oracle_accessgate-sg.tf:246-254 (aws_security_group_rule.egress_traffic_accessgate_1389)
────────────────────────────────────────
246resource"aws_security_group_rule""egress_traffic_accessgate_1389" {
247 security_group_id = aws_security_group.ec2_sg_accessgate.id
248 type ="egress"249 description ="ORACLE LDAP"250 protocol ="TCP"251 from_port =1389252 to_port =1389253 [ cidr_blocks = ["0.0.0.0/0"]
254 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:265viaec2-oracle_accessgate-sg.tf:258-266 (aws_security_group_rule.egress_traffic_accessgate_152x)
────────────────────────────────────────
258resource"aws_security_group_rule""egress_traffic_accessgate_152x" {
259 security_group_id = aws_security_group.ec2_sg_accessgate.id
260 type ="egress"261 description ="ORACLE Net Listener"262 protocol ="TCP"263 from_port =1521264 to_port =1522265 [ cidr_blocks = ["0.0.0.0/0"]
266 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:313viaec2-oracle_accessgate-sg.tf:306-314 (aws_security_group_rule.egress_traffic_accessgate_1636)
────────────────────────────────────────
306resource"aws_security_group_rule""egress_traffic_accessgate_1636" {
307 security_group_id = aws_security_group.ec2_sg_accessgate.id
308 type ="egress"309 description ="Oracle LDAP SSL"310 protocol ="TCP"311 from_port =1636312 to_port =1636313 [ cidr_blocks = ["0.0.0.0/0"]
314 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:241viaec2-oracle_accessgate-sg.tf:234-242 (aws_security_group_rule.egress_traffic_accessgate_22)
────────────────────────────────────────
234resource"aws_security_group_rule""egress_traffic_accessgate_22" {
235 security_group_id = aws_security_group.ec2_sg_accessgate.id
236 type ="egress"237 description ="SSH"238 protocol ="TCP"239 from_port =22240 to_port =22241 [ cidr_blocks = ["0.0.0.0/0"]
242 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:229viaec2-oracle_accessgate-sg.tf:222-230 (aws_security_group_rule.egress_traffic_accessgate_2x)
────────────────────────────────────────
222resource"aws_security_group_rule""egress_traffic_accessgate_2x" {
223 security_group_id = aws_security_group.ec2_sg_accessgate.id
224 type ="egress"225 description ="FTP"226 protocol ="TCP"227 from_port =20228 to_port =21229 [ cidr_blocks = ["0.0.0.0/0"]
230 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:217viaec2-oracle_accessgate-sg.tf:210-218 (aws_security_group_rule.egress_traffic_accessgate_443)
────────────────────────────────────────
210resource"aws_security_group_rule""egress_traffic_accessgate_443" {
211 security_group_id = aws_security_group.ec2_sg_accessgate.id
212 type ="egress"213 description ="HTTPS"214 protocol ="TCP"215 from_port =443216 to_port =443217 [ cidr_blocks = ["0.0.0.0/0"]
218 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:361viaec2-oracle_accessgate-sg.tf:354-362 (aws_security_group_rule.egress_traffic_accessgate_4443)
────────────────────────────────────────
354resource"aws_security_group_rule""egress_traffic_accessgate_4443" {
355 security_group_id = aws_security_group.ec2_sg_accessgate.id
356 type ="egress"357 description ="Oracle HTTPS"358 protocol ="TCP"359 from_port =4443360 to_port =4444361 [ cidr_blocks = ["0.0.0.0/0"]
362 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:337viaec2-oracle_accessgate-sg.tf:330-338 (aws_security_group_rule.egress_traffic_accessgate_50000)
────────────────────────────────────────
330resource"aws_security_group_rule""egress_traffic_accessgate_50000" {
331 security_group_id = aws_security_group.ec2_sg_accessgate.id
332 type ="egress"333 description ="Oracle"334 protocol ="TCP"335 from_port =50000336 to_port =51000337 [ cidr_blocks = ["0.0.0.0/0"]
338 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:277viaec2-oracle_accessgate-sg.tf:270-278 (aws_security_group_rule.egress_traffic_accessgate_5101)
────────────────────────────────────────
270resource"aws_security_group_rule""egress_traffic_accessgate_5101" {
271 security_group_id = aws_security_group.ec2_sg_accessgate.id
272 type ="egress"273 description ="Oracle"274 protocol ="TCP"275 from_port =5101276 to_port =5101277 [ cidr_blocks = ["0.0.0.0/0"]
278 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:289viaec2-oracle_accessgate-sg.tf:282-290 (aws_security_group_rule.egress_traffic_accessgate_5401)
────────────────────────────────────────
282resource"aws_security_group_rule""egress_traffic_accessgate_5401" {
283 security_group_id = aws_security_group.ec2_sg_accessgate.id
284 type ="egress"285 description ="Oracle"286 protocol ="TCP"287 from_port =5401288 to_port =5401289 [ cidr_blocks = ["0.0.0.0/0"]
290 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:301viaec2-oracle_accessgate-sg.tf:294-302 (aws_security_group_rule.egress_traffic_accessgate_5575)
────────────────────────────────────────
294resource"aws_security_group_rule""egress_traffic_accessgate_5575" {
295 security_group_id = aws_security_group.ec2_sg_accessgate.id
296 type ="egress"297 description ="Oracle"298 protocol ="TCP"299 from_port =5575300 to_port =5575301 [ cidr_blocks = ["0.0.0.0/0"]
302 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:205viaec2-oracle_accessgate-sg.tf:198-206 (aws_security_group_rule.egress_traffic_accessgate_80)
────────────────────────────────────────
198resource"aws_security_group_rule""egress_traffic_accessgate_80" {
199 security_group_id = aws_security_group.ec2_sg_accessgate.id
200 type ="egress"201 description ="Oracle HTTPs"202 protocol ="TCP"203 from_port =80204 to_port =80205 [ cidr_blocks = ["0.0.0.0/0"]
206 }
────────────────────────────────────────
CRITICAL:Securitygroupruleallowsegresstomultiplepublicinternetaddresses.
════════════════════════════════════════
Openingupportstoconnectouttothepublicinternetisgenerallytobeavoided.YoushouldrestrictaccesstoIPaddressesorrangesthatareexplicitlyrequiredwherepossible.Seehttps://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_accessgate-sg.tf:349viaec2-oracle_accessgate-sg.tf:342-350 (aws_security_group_rule.egress_traffic_accessgate_800x)
────────────────────────────────────────
342resource"aws_security_group_rule""egress_traffic_accessgate_800x" {
343 security_group_id = aws_security_group.ec2_sg_accessgate.id
344 type ="egress"345 description ="Oracle HTTP"346 protocol ="TCP"347 from_port =8000348 to_port =8005349 [ cidr_blocks = ["0.0.0.0/0"]
350 }
────────────────────────────────────────
ec2-oracle_accessgate.tf (terraform)
====================================Tests:7 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH:InstancedoesnotrequireIMDSaccesstorequireatoken
════════════════════════════════════════
IMDSv2 (Instance Metadata Service) introducedsessionauthenticationtokenswhichimprovesecuritywhentalkingtoIMDS.Bydefault<code>aws_instance</code>resourcesetsIMDSsessionauthtokenstobeoptional.TofullyprotectIMDSyouneedtoenablesessiontokensbyusing<code>metadata_options</code>blockandits<code>http_tokens</code>variablesetto<code>required</code>.Seehttps://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ec2-oracle_ebs_apps-alb-sg.tf (terraform)
=========================================
Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-alb-sg.tf:41
via ec2-oracle_ebs_apps-alb-sg.tf:34-42 (aws_security_group_rule.egress_traffic_ebslb_80)
────────────────────────────────────────
34 resource "aws_security_group_rule""egress_traffic_ebslb_80" {
35 security_group_id = aws_security_group.ec2_sg_ebsapps.id
36 type ="egress"37 description ="All"38 protocol ="TCP"39 from_port =040 to_port =041 [ cidr_blocks = ["0.0.0.0/0"]
42 }
────────────────────────────────────────
ec2-oracle_ebs_apps-alb.tf (terraform)
======================================
Tests:4 (SUCCESSES:3, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb""ebsapps_lb" {
2 │ name =lower(format("lb-%s-ebsapp", local.application_name))
3 │ internal =true4 │ load_balancer_type ="application"5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-private.ids
7 │
8 │ enable_deletion_protection =true9 └
..
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf (terraform)
=====================================
Tests:26 (SUCCESSES:12, FAILURES:14, EXCEPTIONS:0)
Failures:14 (HIGH:0, CRITICAL:14)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:325
via ec2-oracle_ebs_apps-sg.tf:318-326 (aws_security_group_rule.egress_traffic_ebsapps_10401)
────────────────────────────────────────
318 resource "aws_security_group_rule""egress_traffic_ebsapps_10401" {
319 security_group_id = aws_security_group.ec2_sg_ebsapps.id
320 type ="egress"321 description ="Oracle"322 protocol ="TCP"323 from_port =10401324 to_port =10401325 [ cidr_blocks = ["0.0.0.0/0"]
326 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:253
via ec2-oracle_ebs_apps-sg.tf:246-254 (aws_security_group_rule.egress_traffic_ebsapps_1389)
────────────────────────────────────────
246 resource "aws_security_group_rule""egress_traffic_ebsapps_1389" {
247 security_group_id = aws_security_group.ec2_sg_ebsapps.id
248 type ="egress"249 description ="ORACLE LDAP"250 protocol ="TCP"251 from_port =1389252 to_port =1389253 [ cidr_blocks = ["0.0.0.0/0"]
254 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:265
via ec2-oracle_ebs_apps-sg.tf:258-266 (aws_security_group_rule.egress_traffic_ebsapps_152x)
────────────────────────────────────────
258 resource "aws_security_group_rule""egress_traffic_ebsapps_152x" {
259 security_group_id = aws_security_group.ec2_sg_ebsapps.id
260 type ="egress"261 description ="ORACLE Net Listener"262 protocol ="TCP"263 from_port =1521264 to_port =1522265 [ cidr_blocks = ["0.0.0.0/0"]
266 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:313
via ec2-oracle_ebs_apps-sg.tf:306-314 (aws_security_group_rule.egress_traffic_ebsapps_1636)
────────────────────────────────────────
306 resource "aws_security_group_rule""egress_traffic_ebsapps_1636" {
307 security_group_id = aws_security_group.ec2_sg_ebsapps.id
308 type ="egress"309 description ="Oracle LDAP SSL"310 protocol ="TCP"311 from_port =1636312 to_port =1636313 [ cidr_blocks = ["0.0.0.0/0"]
314 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:241
via ec2-oracle_ebs_apps-sg.tf:234-242 (aws_security_group_rule.egress_traffic_ebsapps_22)
────────────────────────────────────────
234 resource "aws_security_group_rule""egress_traffic_ebsapps_22" {
235 security_group_id = aws_security_group.ec2_sg_ebsapps.id
236 type ="egress"237 description ="SSH"238 protocol ="TCP"239 from_port =22240 to_port =22241 [ cidr_blocks = ["0.0.0.0/0"]
242 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:229
via ec2-oracle_ebs_apps-sg.tf:222-230 (aws_security_group_rule.egress_traffic_ebsapps_2x)
────────────────────────────────────────
222 resource "aws_security_group_rule""egress_traffic_ebsapps_2x" {
223 security_group_id = aws_security_group.ec2_sg_ebsapps.id
224 type ="egress"225 description ="FTP"226 protocol ="TCP"227 from_port =20228 to_port =21229 [ cidr_blocks = ["0.0.0.0/0"]
230 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:217
via ec2-oracle_ebs_apps-sg.tf:210-218 (aws_security_group_rule.egress_traffic_ebsapps_443)
────────────────────────────────────────
210 resource "aws_security_group_rule""egress_traffic_ebsapps_443" {
211 security_group_id = aws_security_group.ec2_sg_ebsapps.id
212 type ="egress"213 description ="HTTPS"214 protocol ="TCP"215 from_port =443216 to_port =443217 [ cidr_blocks = ["0.0.0.0/0"]
218 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:361
via ec2-oracle_ebs_apps-sg.tf:354-362 (aws_security_group_rule.egress_traffic_ebsapps_4443)
────────────────────────────────────────
354 resource "aws_security_group_rule""egress_traffic_ebsapps_4443" {
355 security_group_id = aws_security_group.ec2_sg_ebsapps.id
356 type ="egress"357 description ="Oracle HTTPS"358 protocol ="TCP"359 from_port =4443360 to_port =4444361 [ cidr_blocks = ["0.0.0.0/0"]
362 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:337
via ec2-oracle_ebs_apps-sg.tf:330-338 (aws_security_group_rule.egress_traffic_ebsapps_50000)
────────────────────────────────────────
330 resource "aws_security_group_rule""egress_traffic_ebsapps_50000" {
331 security_group_id = aws_security_group.ec2_sg_ebsapps.id
332 type ="egress"333 description ="Oracle"334 protocol ="TCP"335 from_port =50000336 to_port =51000337 [ cidr_blocks = ["0.0.0.0/0"]
338 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:277
via ec2-oracle_ebs_apps-sg.tf:270-278 (aws_security_group_rule.egress_traffic_ebsapps_5101)
────────────────────────────────────────
270 resource "aws_security_group_rule""egress_traffic_ebsapps_5101" {
271 security_group_id = aws_security_group.ec2_sg_ebsapps.id
272 type ="egress"273 description ="Oracle"274 protocol ="TCP"275 from_port =5101276 to_port =5101277 [ cidr_blocks = ["0.0.0.0/0"]
278 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:289
via ec2-oracle_ebs_apps-sg.tf:282-290 (aws_security_group_rule.egress_traffic_ebsapps_5401)
────────────────────────────────────────
282 resource "aws_security_group_rule""egress_traffic_ebsapps_5401" {
283 security_group_id = aws_security_group.ec2_sg_ebsapps.id
284 type ="egress"285 description ="Oracle"286 protocol ="TCP"287 from_port =5401288 to_port =5401289 [ cidr_blocks = ["0.0.0.0/0"]
290 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:301
via ec2-oracle_ebs_apps-sg.tf:294-302 (aws_security_group_rule.egress_traffic_ebsapps_5575)
────────────────────────────────────────
294 resource "aws_security_group_rule""egress_traffic_ebsapps_5575" {
295 security_group_id = aws_security_group.ec2_sg_ebsapps.id
296 type ="egress"297 description ="Oracle"298 protocol ="TCP"299 from_port =5575300 to_port =5575301 [ cidr_blocks = ["0.0.0.0/0"]
302 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:205
via ec2-oracle_ebs_apps-sg.tf:198-206 (aws_security_group_rule.egress_traffic_ebsapps_80)
────────────────────────────────────────
198 resource "aws_security_group_rule""egress_traffic_ebsapps_80" {
199 security_group_id = aws_security_group.ec2_sg_ebsapps.id
200 type ="egress"201 description ="Oracle HTTPs"202 protocol ="TCP"203 from_port =80204 to_port =80205 [ cidr_blocks = ["0.0.0.0/0"]
206 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_apps-sg.tf:349
via ec2-oracle_ebs_apps-sg.tf:342-350 (aws_security_group_rule.egress_traffic_ebsapps_800x)
────────────────────────────────────────
342 resource "aws_security_group_rule""egress_traffic_ebsapps_800x" {
343 security_group_id = aws_security_group.ec2_sg_ebsapps.id
344 type ="egress"345 description ="Oracle HTTP"346 protocol ="TCP"347 from_port =8000348 to_port =8005349 [ cidr_blocks = ["0.0.0.0/0"]
350 }
────────────────────────────────────────
ec2-oracle_ebs_apps.tf (terraform)
==================================
Tests:10 (SUCCESSES:9, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2-oracle_ebs_apps.tf:1-50
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf (terraform)
=====================================
Tests:26 (SUCCESSES:12, FAILURES:14, EXCEPTIONS:0)
Failures:14 (HIGH:0, CRITICAL:14)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:327
via ec2-oracle_ebs_conc-sg.tf:320-328 (aws_security_group_rule.egress_traffic_ebsconc_10401)
────────────────────────────────────────
320 resource "aws_security_group_rule""egress_traffic_ebsconc_10401" {
321 security_group_id = aws_security_group.ec2_sg_ebsconc.id
322 type ="egress"323 description ="Oracle"324 protocol ="TCP"325 from_port =10401326 to_port =10401327 [ cidr_blocks = ["0.0.0.0/0"]
328 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:255
via ec2-oracle_ebs_conc-sg.tf:248-256 (aws_security_group_rule.egress_traffic_ebsconc_1389)
────────────────────────────────────────
248 resource "aws_security_group_rule""egress_traffic_ebsconc_1389" {
249 security_group_id = aws_security_group.ec2_sg_ebsconc.id
250 type ="egress"251 description ="ORACLE LDAP"252 protocol ="TCP"253 from_port =1389254 to_port =1389255 [ cidr_blocks = ["0.0.0.0/0"]
256 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:267
via ec2-oracle_ebs_conc-sg.tf:260-268 (aws_security_group_rule.egress_traffic_ebsconc_152x)
────────────────────────────────────────
260 resource "aws_security_group_rule""egress_traffic_ebsconc_152x" {
261 security_group_id = aws_security_group.ec2_sg_ebsconc.id
262 type ="egress"263 description ="ORACLE Net Listener"264 protocol ="TCP"265 from_port =1521266 to_port =1522267 [ cidr_blocks = ["0.0.0.0/0"]
268 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:315
via ec2-oracle_ebs_conc-sg.tf:308-316 (aws_security_group_rule.egress_traffic_ebsconc_1636)
────────────────────────────────────────
308 resource "aws_security_group_rule""egress_traffic_ebsconc_1636" {
309 security_group_id = aws_security_group.ec2_sg_ebsconc.id
310 type ="egress"311 description ="Oracle LDAP SSL"312 protocol ="TCP"313 from_port =1636314 to_port =1636315 [ cidr_blocks = ["0.0.0.0/0"]
316 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:243
via ec2-oracle_ebs_conc-sg.tf:236-244 (aws_security_group_rule.egress_traffic_ebsconc_22)
────────────────────────────────────────
236 resource "aws_security_group_rule""egress_traffic_ebsconc_22" {
237 security_group_id = aws_security_group.ec2_sg_ebsconc.id
238 type ="egress"239 description ="SSH"240 protocol ="TCP"241 from_port =22242 to_port =22243 [ cidr_blocks = ["0.0.0.0/0"]
244 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:231
via ec2-oracle_ebs_conc-sg.tf:224-232 (aws_security_group_rule.egress_traffic_ebsconc_2x)
────────────────────────────────────────
224 resource "aws_security_group_rule""egress_traffic_ebsconc_2x" {
225 security_group_id = aws_security_group.ec2_sg_ebsconc.id
226 type ="egress"227 description ="FTP"228 protocol ="TCP"229 from_port =20230 to_port =21231 [ cidr_blocks = ["0.0.0.0/0"]
232 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:219
via ec2-oracle_ebs_conc-sg.tf:212-220 (aws_security_group_rule.egress_traffic_ebsconc_443)
────────────────────────────────────────
212 resource "aws_security_group_rule""egress_traffic_ebsconc_443" {
213 security_group_id = aws_security_group.ec2_sg_ebsconc.id
214 type ="egress"215 description ="HTTPS"216 protocol ="TCP"217 from_port =443218 to_port =443219 [ cidr_blocks = ["0.0.0.0/0"]
220 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:363
via ec2-oracle_ebs_conc-sg.tf:356-364 (aws_security_group_rule.egress_traffic_ebsconc_4443)
────────────────────────────────────────
356 resource "aws_security_group_rule""egress_traffic_ebsconc_4443" {
357 security_group_id = aws_security_group.ec2_sg_ebsconc.id
358 type ="egress"359 description ="Oracle HTTPS"360 protocol ="TCP"361 from_port =4443362 to_port =4444363 [ cidr_blocks = ["0.0.0.0/0"]
364 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:339
via ec2-oracle_ebs_conc-sg.tf:332-340 (aws_security_group_rule.egress_traffic_ebsconc_50000)
────────────────────────────────────────
332 resource "aws_security_group_rule""egress_traffic_ebsconc_50000" {
333 security_group_id = aws_security_group.ec2_sg_ebsconc.id
334 type ="egress"335 description ="Oracle"336 protocol ="TCP"337 from_port =50000338 to_port =51000339 [ cidr_blocks = ["0.0.0.0/0"]
340 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:279
via ec2-oracle_ebs_conc-sg.tf:272-280 (aws_security_group_rule.egress_traffic_ebsconc_5101)
────────────────────────────────────────
272 resource "aws_security_group_rule""egress_traffic_ebsconc_5101" {
273 security_group_id = aws_security_group.ec2_sg_ebsconc.id
274 type ="egress"275 description ="Oracle"276 protocol ="TCP"277 from_port =5101278 to_port =5101279 [ cidr_blocks = ["0.0.0.0/0"]
280 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:291
via ec2-oracle_ebs_conc-sg.tf:284-292 (aws_security_group_rule.egress_traffic_ebsconc_5401)
────────────────────────────────────────
284 resource "aws_security_group_rule""egress_traffic_ebsconc_5401" {
285 security_group_id = aws_security_group.ec2_sg_ebsconc.id
286 type ="egress"287 description ="Oracle"288 protocol ="TCP"289 from_port =5401290 to_port =5401291 [ cidr_blocks = ["0.0.0.0/0"]
292 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:303
via ec2-oracle_ebs_conc-sg.tf:296-304 (aws_security_group_rule.egress_traffic_ebsconc_5575)
────────────────────────────────────────
296 resource "aws_security_group_rule""egress_traffic_ebsconc_5575" {
297 security_group_id = aws_security_group.ec2_sg_ebsconc.id
298 type ="egress"299 description ="Oracle"300 protocol ="TCP"301 from_port =5575302 to_port =5575303 [ cidr_blocks = ["0.0.0.0/0"]
304 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:207
via ec2-oracle_ebs_conc-sg.tf:200-208 (aws_security_group_rule.egress_traffic_ebsconc_80)
────────────────────────────────────────
200 resource "aws_security_group_rule""egress_traffic_ebsconc_80" {
201 security_group_id = aws_security_group.ec2_sg_ebsconc.id
202 type ="egress"203 description ="Oracle HTTPs"204 protocol ="TCP"205 from_port =80206 to_port =80207 [ cidr_blocks = ["0.0.0.0/0"]
208 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_conc-sg.tf:351
via ec2-oracle_ebs_conc-sg.tf:344-352 (aws_security_group_rule.egress_traffic_ebsconc_800x)
────────────────────────────────────────
344 resource "aws_security_group_rule""egress_traffic_ebsconc_800x" {
345 security_group_id = aws_security_group.ec2_sg_ebsconc.id
346 type ="egress"347 description ="Oracle HTTP"348 protocol ="TCP"349 from_port =8000350 to_port =8005351 [ cidr_blocks = ["0.0.0.0/0"]
352 }
────────────────────────────────────────
ec2-oracle_ebs_conc.tf (terraform)
==================================
Tests:9 (SUCCESSES:8, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2-oracle_ebs_conc.tf:1-48
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_oracle_conc" {
2 │ count = local.application_data.accounts[local.environment].conc_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsconc
4 │ ami = local.application_data.accounts[local.environment].ebsconc_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsconc.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring =true9 └ ebs_optimized = local.application_data.accounts[local.environment].ebs_optimized
..
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf (terraform)
===================================
Tests:26 (SUCCESSES:12, FAILURES:14, EXCEPTIONS:0)
Failures:14 (HIGH:0, CRITICAL:14)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:327
via ec2-oracle_ebs_db-sg.tf:320-328 (aws_security_group_rule.egress_traffic_ebsdb_10401)
────────────────────────────────────────
320 resource "aws_security_group_rule""egress_traffic_ebsdb_10401" {
321 security_group_id = aws_security_group.ec2_sg_ebsdb.id
322 type ="egress"323 description ="Oracle"324 protocol ="TCP"325 from_port =10401326 to_port =10401327 [ cidr_blocks = ["0.0.0.0/0"]
328 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:255
via ec2-oracle_ebs_db-sg.tf:248-256 (aws_security_group_rule.egress_traffic_ebsdb_1389)
────────────────────────────────────────
248 resource "aws_security_group_rule""egress_traffic_ebsdb_1389" {
249 security_group_id = aws_security_group.ec2_sg_ebsdb.id
250 type ="egress"251 description ="ORACLE LDAP"252 protocol ="TCP"253 from_port =1389254 to_port =1389255 [ cidr_blocks = ["0.0.0.0/0"]
256 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:267
via ec2-oracle_ebs_db-sg.tf:260-268 (aws_security_group_rule.egress_traffic_ebsdb_152x)
────────────────────────────────────────
260 resource "aws_security_group_rule""egress_traffic_ebsdb_152x" {
261 security_group_id = aws_security_group.ec2_sg_ebsdb.id
262 type ="egress"263 description ="ORACLE Net Listener"264 protocol ="TCP"265 from_port =1521266 to_port =1522267 [ cidr_blocks = ["0.0.0.0/0"]
268 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:315
via ec2-oracle_ebs_db-sg.tf:308-316 (aws_security_group_rule.egress_traffic_ebsdb_1636)
────────────────────────────────────────
308 resource "aws_security_group_rule""egress_traffic_ebsdb_1636" {
309 security_group_id = aws_security_group.ec2_sg_ebsdb.id
310 type ="egress"311 description ="Oracle LDAP SSL"312 protocol ="TCP"313 from_port =1636314 to_port =1636315 [ cidr_blocks = ["0.0.0.0/0"]
316 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:243
via ec2-oracle_ebs_db-sg.tf:236-244 (aws_security_group_rule.egress_traffic_ebsdb_22)
────────────────────────────────────────
236 resource "aws_security_group_rule""egress_traffic_ebsdb_22" {
237 security_group_id = aws_security_group.ec2_sg_ebsdb.id
238 type ="egress"239 description ="SSH"240 protocol ="TCP"241 from_port =22242 to_port =22243 [ cidr_blocks = ["0.0.0.0/0"]
244 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:231
via ec2-oracle_ebs_db-sg.tf:224-232 (aws_security_group_rule.egress_traffic_ebsdb_2x)
────────────────────────────────────────
224 resource "aws_security_group_rule""egress_traffic_ebsdb_2x" {
225 security_group_id = aws_security_group.ec2_sg_ebsdb.id
226 type ="egress"227 description ="FTP"228 protocol ="TCP"229 from_port =20230 to_port =21231 [ cidr_blocks = ["0.0.0.0/0"]
232 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:219
via ec2-oracle_ebs_db-sg.tf:212-220 (aws_security_group_rule.egress_traffic_ebsdb_443)
────────────────────────────────────────
212 resource "aws_security_group_rule""egress_traffic_ebsdb_443" {
213 security_group_id = aws_security_group.ec2_sg_ebsdb.id
214 type ="egress"215 description ="HTTPS"216 protocol ="TCP"217 from_port =443218 to_port =443219 [ cidr_blocks = ["0.0.0.0/0"]
220 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:363
via ec2-oracle_ebs_db-sg.tf:356-364 (aws_security_group_rule.egress_traffic_ebsdb_4443)
────────────────────────────────────────
356 resource "aws_security_group_rule""egress_traffic_ebsdb_4443" {
357 security_group_id = aws_security_group.ec2_sg_ebsdb.id
358 type ="egress"359 description ="Oracle HTTPS"360 protocol ="TCP"361 from_port =4443362 to_port =4444363 [ cidr_blocks = ["0.0.0.0/0"]
364 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:339
via ec2-oracle_ebs_db-sg.tf:332-340 (aws_security_group_rule.egress_traffic_ebsdb_50000)
────────────────────────────────────────
332 resource "aws_security_group_rule""egress_traffic_ebsdb_50000" {
333 security_group_id = aws_security_group.ec2_sg_ebsdb.id
334 type ="egress"335 description ="Oracle"336 protocol ="TCP"337 from_port =50000338 to_port =51000339 [ cidr_blocks = ["0.0.0.0/0"]
340 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:279
via ec2-oracle_ebs_db-sg.tf:272-280 (aws_security_group_rule.egress_traffic_ebsdb_5101)
────────────────────────────────────────
272 resource "aws_security_group_rule""egress_traffic_ebsdb_5101" {
273 security_group_id = aws_security_group.ec2_sg_ebsdb.id
274 type ="egress"275 description ="Oracle"276 protocol ="TCP"277 from_port =5101278 to_port =5101279 [ cidr_blocks = ["0.0.0.0/0"]
280 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:291
via ec2-oracle_ebs_db-sg.tf:284-292 (aws_security_group_rule.egress_traffic_ebsdb_5401)
────────────────────────────────────────
284 resource "aws_security_group_rule""egress_traffic_ebsdb_5401" {
285 security_group_id = aws_security_group.ec2_sg_ebsdb.id
286 type ="egress"287 description ="Oracle"288 protocol ="TCP"289 from_port =5401290 to_port =5401291 [ cidr_blocks = ["0.0.0.0/0"]
292 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:303
via ec2-oracle_ebs_db-sg.tf:296-304 (aws_security_group_rule.egress_traffic_ebsdb_5575)
────────────────────────────────────────
296 resource "aws_security_group_rule""egress_traffic_ebsdb_5575" {
297 security_group_id = aws_security_group.ec2_sg_ebsdb.id
298 type ="egress"299 description ="Oracle"300 protocol ="TCP"301 from_port =5575302 to_port =5575303 [ cidr_blocks = ["0.0.0.0/0"]
304 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:207
via ec2-oracle_ebs_db-sg.tf:200-208 (aws_security_group_rule.egress_traffic_ebsdb_80)
────────────────────────────────────────
200 resource "aws_security_group_rule""egress_traffic_ebsdb_80" {
201 security_group_id = aws_security_group.ec2_sg_ebsdb.id
202 type ="egress"203 description ="Oracle HTTPs"204 protocol ="TCP"205 from_port =80206 to_port =80207 [ cidr_blocks = ["0.0.0.0/0"]
208 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_ebs_db-sg.tf:351
via ec2-oracle_ebs_db-sg.tf:344-352 (aws_security_group_rule.egress_traffic_ebsdb_800x)
────────────────────────────────────────
344 resource "aws_security_group_rule""egress_traffic_ebsdb_800x" {
345 security_group_id = aws_security_group.ec2_sg_ebsdb.id
346 type ="egress"347 description ="Oracle HTTP"348 protocol ="TCP"349 from_port =8000350 to_port =8005351 [ cidr_blocks = ["0.0.0.0/0"]
352 }
────────────────────────────────────────
ec2-oracle_ebs_db.tf (terraform)
================================
Tests:20 (SUCCESSES:19, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2-oracle_ebs_db.tf:1-48
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring =true9 └ ebs_optimized =false
..
────────────────────────────────────────
ec2-oracle_webgate-alb-sg.tf (terraform)
========================================
Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-alb-sg.tf:42
via ec2-oracle_webgate-alb-sg.tf:35-43 (aws_security_group_rule.egress_traffic_webgatelb_80)
────────────────────────────────────────
35 resource "aws_security_group_rule""egress_traffic_webgatelb_80" {
36 security_group_id = aws_security_group.sg_webgate_lb.id
37 type ="egress"38 description ="All"39 protocol ="TCP"40 from_port =041 to_port =042 [ cidr_blocks = ["0.0.0.0/0"]
43 }
────────────────────────────────────────
ec2-oracle_webgate-alb.tf (terraform)
=====================================
Tests:4 (SUCCESSES:3, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ec2-oracle_webgate-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb""webgate_lb" {
2 │ name =lower(format("lb-%s-webgate", local.application_name))
3 │ internal =true4 │ load_balancer_type ="application"5 │ security_groups = [aws_security_group.sg_webgate_lb.id]
6 │ subnets = data.aws_subnets.shared-private.ids
7 │
8 │ enable_deletion_protection =true9 └
..
────────────────────────────────────────
ec2-oracle_webgate-sg.tf (terraform)
====================================
Tests:26 (SUCCESSES:12, FAILURES:14, EXCEPTIONS:0)
Failures:14 (HIGH:0, CRITICAL:14)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:326
via ec2-oracle_webgate-sg.tf:319-327 (aws_security_group_rule.egress_traffic_webgate_10401)
────────────────────────────────────────
319 resource "aws_security_group_rule""egress_traffic_webgate_10401" {
320 security_group_id = aws_security_group.ec2_sg_webgate.id
321 type ="egress"322 description ="Oracle"323 protocol ="TCP"324 from_port =10401325 to_port =10401326 [ cidr_blocks = ["0.0.0.0/0"]
327 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:254
via ec2-oracle_webgate-sg.tf:247-255 (aws_security_group_rule.egress_traffic_webgate_1389)
────────────────────────────────────────
247 resource "aws_security_group_rule""egress_traffic_webgate_1389" {
248 security_group_id = aws_security_group.ec2_sg_webgate.id
249 type ="egress"250 description ="ORACLE LDAP"251 protocol ="TCP"252 from_port =1389253 to_port =1389254 [ cidr_blocks = ["0.0.0.0/0"]
255 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:266
via ec2-oracle_webgate-sg.tf:259-267 (aws_security_group_rule.egress_traffic_webgate_152x)
────────────────────────────────────────
259 resource "aws_security_group_rule""egress_traffic_webgate_152x" {
260 security_group_id = aws_security_group.ec2_sg_webgate.id
261 type ="egress"262 description ="ORACLE Net Listener"263 protocol ="TCP"264 from_port =1521265 to_port =1522266 [ cidr_blocks = ["0.0.0.0/0"]
267 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:314
via ec2-oracle_webgate-sg.tf:307-315 (aws_security_group_rule.egress_traffic_webgate_1636)
────────────────────────────────────────
307 resource "aws_security_group_rule""egress_traffic_webgate_1636" {
308 security_group_id = aws_security_group.ec2_sg_webgate.id
309 type ="egress"310 description ="Oracle LDAP SSL"311 protocol ="TCP"312 from_port =1636313 to_port =1636314 [ cidr_blocks = ["0.0.0.0/0"]
315 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:242
via ec2-oracle_webgate-sg.tf:235-243 (aws_security_group_rule.egress_traffic_webgate_22)
────────────────────────────────────────
235 resource "aws_security_group_rule""egress_traffic_webgate_22" {
236 security_group_id = aws_security_group.ec2_sg_webgate.id
237 type ="egress"238 description ="SSH"239 protocol ="TCP"240 from_port =22241 to_port =22242 [ cidr_blocks = ["0.0.0.0/0"]
243 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:230
via ec2-oracle_webgate-sg.tf:223-231 (aws_security_group_rule.egress_traffic_webgate_2x)
────────────────────────────────────────
223 resource "aws_security_group_rule""egress_traffic_webgate_2x" {
224 security_group_id = aws_security_group.ec2_sg_webgate.id
225 type ="egress"226 description ="FTP"227 protocol ="TCP"228 from_port =20229 to_port =21230 [ cidr_blocks = ["0.0.0.0/0"]
231 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:218
via ec2-oracle_webgate-sg.tf:211-219 (aws_security_group_rule.egress_traffic_webgate_443)
────────────────────────────────────────
211 resource "aws_security_group_rule""egress_traffic_webgate_443" {
212 security_group_id = aws_security_group.ec2_sg_webgate.id
213 type ="egress"214 description ="HTTPS"215 protocol ="TCP"216 from_port =443217 to_port =443218 [ cidr_blocks = ["0.0.0.0/0"]
219 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:362
via ec2-oracle_webgate-sg.tf:355-363 (aws_security_group_rule.egress_traffic_webgate_4443)
────────────────────────────────────────
355 resource "aws_security_group_rule""egress_traffic_webgate_4443" {
356 security_group_id = aws_security_group.ec2_sg_webgate.id
357 type ="egress"358 description ="Oracle HTTPS"359 protocol ="TCP"360 from_port =4443361 to_port =4444362 [ cidr_blocks = ["0.0.0.0/0"]
363 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:338
via ec2-oracle_webgate-sg.tf:331-339 (aws_security_group_rule.egress_traffic_webgate_50000)
────────────────────────────────────────
331 resource "aws_security_group_rule""egress_traffic_webgate_50000" {
332 security_group_id = aws_security_group.ec2_sg_webgate.id
333 type ="egress"334 description ="Oracle"335 protocol ="TCP"336 from_port =50000337 to_port =51000338 [ cidr_blocks = ["0.0.0.0/0"]
339 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:278
via ec2-oracle_webgate-sg.tf:271-279 (aws_security_group_rule.egress_traffic_webgate_5101)
────────────────────────────────────────
271 resource "aws_security_group_rule""egress_traffic_webgate_5101" {
272 security_group_id = aws_security_group.ec2_sg_webgate.id
273 type ="egress"274 description ="Oracle"275 protocol ="TCP"276 from_port =5101277 to_port =5101278 [ cidr_blocks = ["0.0.0.0/0"]
279 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:290
via ec2-oracle_webgate-sg.tf:283-291 (aws_security_group_rule.egress_traffic_webgate_5401)
────────────────────────────────────────
283 resource "aws_security_group_rule""egress_traffic_webgate_5401" {
284 security_group_id = aws_security_group.ec2_sg_webgate.id
285 type ="egress"286 description ="Oracle"287 protocol ="TCP"288 from_port =5401289 to_port =5401290 [ cidr_blocks = ["0.0.0.0/0"]
291 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:302
via ec2-oracle_webgate-sg.tf:295-303 (aws_security_group_rule.egress_traffic_webgate_5575)
────────────────────────────────────────
295 resource "aws_security_group_rule""egress_traffic_webgate_5575" {
296 security_group_id = aws_security_group.ec2_sg_webgate.id
297 type ="egress"298 description ="Oracle"299 protocol ="TCP"300 from_port =5575301 to_port =5575302 [ cidr_blocks = ["0.0.0.0/0"]
303 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:206
via ec2-oracle_webgate-sg.tf:199-207 (aws_security_group_rule.egress_traffic_webgate_80)
────────────────────────────────────────
199 resource "aws_security_group_rule""egress_traffic_webgate_80" {
200 security_group_id = aws_security_group.ec2_sg_webgate.id
201 type ="egress"202 description ="Oracle HTTPs"203 protocol ="TCP"204 from_port =80205 to_port =80206 [ cidr_blocks = ["0.0.0.0/0"]
207 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2-oracle_webgate-sg.tf:350
via ec2-oracle_webgate-sg.tf:343-351 (aws_security_group_rule.egress_traffic_webgate_800x)
────────────────────────────────────────
343 resource "aws_security_group_rule""egress_traffic_webgate_800x" {
344 security_group_id = aws_security_group.ec2_sg_webgate.id
345 type ="egress"346 description ="Oracle HTTP"347 protocol ="TCP"348 from_port =8000349 to_port =8005350 [ cidr_blocks = ["0.0.0.0/0"]
351 }
────────────────────────────────────────
ec2-oracle_webgate.tf (terraform)
=================================
Tests:7 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
efs.tf (terraform)
==================
Tests:3 (SUCCESSES:2, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
efs.tf:55-57
via efs.tf:51-58 (egress)
via efs.tf:34-63 (aws_security_group.efs-security-group)
────────────────────────────────────────
34 resource "aws_security_group""efs-security-group" {
..
55 ┌ cidr_blocks = [
56 │ "0.0.0.0/0",
57 └ ]
..
63 }
────────────────────────────────────────
sns.tf (terraform)
==================
Tests:6 (SUCCESSES:3, FAILURES:3, EXCEPTIONS:0)
Failures:3 (HIGH:3, CRITICAL:0)
HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.
See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
sns.tf:18-21
────────────────────────────────────────
18 ┌ resource "aws_sns_topic""cw_alerts" {
19 │ name ="ccms-ebs-ec2-alerts"20 │ #kms_master_key_id = "alias/aws/sns"21 └ }
────────────────────────────────────────
HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.
See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
sns.tf:52-55
────────────────────────────────────────
52 ┌ resource "aws_sns_topic""ddos_alarm" {
53 │ name =format("%s_ddos_alarm", local.application_name)
54 │ #kms_master_key_id = "alias/aws/sns"55 └ }
────────────────────────────────────────
HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.
See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
sns.tf:35-38
────────────────────────────────────────
35 ┌ resource "aws_sns_topic""s3_topic" {
36 │ name ="s3-event-notification-topic"37 │ policy = data.aws_iam_policy_document.s3_topic_policy.json
38 └ }
────────────────────────────────────────
trivy_exitcode=1
dependabotbot
deleted the
dependabot/terraform/terraform/environments/ccms-ebs-upgrade/s3-bucket-logging--github--ministryofjustice/modernisation-platform-terraform-s3-bucket--v7.0.0-8.1.0
branch
September 18, 2024 00:55
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
the
dependencies
github-actions
bot
added
the
environments-repository
Bumps s3-bucket-logging::modernisation-platform-terraform-s3-bucket from 7.0.0 to 8.1.0.
Release notes
Sourced from s3-bucket-logging::modernisation-platform-terraform-s3-bucket's releases.
... (truncated)
Commits
4e17731Merge pull request #510 from ministryofjustice/dependabot/github_actions/brid...8431e01Merge pull request #509 from ministryofjustice/dependabot/github_actions/gith...6c10893Merge pull request #511 from ministryofjustice/enforce_tls_12_or_highereb12580Commit changes made by code formatterse810ef3Revise bucket policy to enforce tls v1.2 or higher connectionsde70f45Bump bridgecrewio/checkov-action from 12.2849.0 to 12.2851.0df49d9dBump github/codeql-action from 3.26.1 to 3.26.2f95c656Merge pull request #508 from ministryofjustice/dependabot/github_actions/gith...85eb05bBump github/codeql-action from 3.26.0 to 3.26.1ae42a20Merge pull request #507 from ministryofjustice/dependabot/github_actions/brid...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)