You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.
See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource "aws_cloudfront_distribution" "external" {
...
243 [ minimum_protocol_version = "TLSv1.2_2018"
...
266 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm = "AES256"
135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
138 └ lifecycle {
...
────────────────────────────────────────
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group" "backup_lambda" {
...
194 [ cidr_blocks = ["0.0.0.0/0"]
...
201 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group" "lb" {
...
289 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
293 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group" "cluster_ec2" {
..
85 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/apex
*****************************
Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-12 13:25:41,629 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-09-12 13:25:41,629 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 358, Failed checks: 94, Skipped checks: 5, Parsing errors: 1
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
FAILED for resource: aws_backup_vault.apex
File: /backups.tf:10-16
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk
10 | resource "aws_backup_vault" "apex" {
11 | name = "${local.application_name}-backup-vault"
12 | tags = merge(
13 | local.tags,
14 | { "Name" = "${local.application_name}-backup-vault" },
15 | )
16 | }
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
File: /cloudfront.tf:156-174
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300
156 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
157 | count = local.environment == "production" ? 1 : 0
158 | bucket = aws_s3_bucket.cloudfront.id
159 |
160 | rule {
161 | id = "delete-after-90days"
162 |
163 | expiration {
164 | days = 90
165 | }
166 |
167 | noncurrent_version_expiration {
168 | newer_noncurrent_versions = 1
169 | noncurrent_days = 90
170 | }
171 |
172 | status = "Enabled"
173 | }
174 | }
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.cloudfront
File: /cloudfront.tf:294-304
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy
294 | resource "aws_acm_certificate" "cloudfront" {
295 | domain_name = local.environment == "production" ? data.aws_route53_zone.production_network_services.name : local.application_data.accounts[local.environment].acm_cert_domain_name
296 | validation_method = "DNS"
297 | provider = aws.us-east-1
298 | subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
299 | tags = local.tags
300 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
301 | lifecycle {
302 | prevent_destroy = false
303 | }
304 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.apex_db_instance
File: /ec2.tf:6-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
6 | resource "aws_instance" "apex_db_instance" {
7 | ami = local.application_data.accounts[local.environment].ec2amiid
8 | associate_public_ip_address = false
9 | availability_zone = "eu-west-2a"
10 | ebs_optimized = true
11 | instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 | vpc_security_group_ids = [aws_security_group.database.id]
13 | monitoring = true
14 | subnet_id = data.aws_subnet.data_subnets_a.id
15 | iam_instance_profile = aws_iam_instance_profile.ec2_instance_profile.id
16 | key_name = aws_key_pair.apex.key_name
17 | user_data_base64 = base64encode(local.database-instance-userdata)
18 | user_data_replace_on_change = local.application_data.accounts[local.environment].user_data_replace_on_change
19 |
20 |
21 | root_block_device {
22 | delete_on_termination = false
23 | encrypted = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
24 | volume_size = 60
25 | volume_type = "gp2"
26 | tags = merge(
27 | local.tags,
28 | { "Name" = "${local.application_name}db-ec2-root" },
29 | )
30 | }
31 |
32 | tags = merge(
33 | local.tags,
34 | { "Name" = local.database_ec2_name },
35 | { "instance-scheduling" = "skip-scheduling" },
36 | { "snapshot-with-daily-7-day-retention" = "yes" }
37 | )
38 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
File: /ec2.tf:75-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
75 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
76 | security_group_id = aws_security_group.database.id
77 | description = "Allow Lambda SSH access for backup snapshots"
78 | referenced_security_group_id = aws_security_group.backup_lambda.id
79 | from_port = 22
80 | ip_protocol = "tcp"
81 | to_port = 22
82 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
File: /ec2.tf:103-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
103 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
104 | security_group_id = aws_security_group.database.id
105 | cidr_ipv4 = "0.0.0.0/0"
106 | ip_protocol = "-1"
107 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.ec2_instance_policy
File: /ec2.tf:134-165
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
135 | name = "${local.application_name}-ec2-policy"
136 | role = aws_iam_role.ec2_instance_role.id
137 | policy = jsonencode({
138 | Version = "2012-10-17"
139 | Statement = [
140 | {
141 | Effect = "Allow",
142 | Action = [
143 | "logs:CreateLogGroup",
144 | "logs:CreateLogStream",
145 | "logs:DescribeLogStreams",
146 | "logs:PutRetentionPolicy",
147 | "logs:PutLogEvents",
148 | "logs:DescribeLogGroups",
149 | "cloudwatch:PutMetricData",
150 | "cloudwatch:GetMetricStatistics",
151 | "cloudwatch:ListMetrics",
152 | "ec2:DescribeInstances",
153 | ],
154 | Resource = "*"
155 | },
156 | {
157 | Effect = "Allow",
158 | Action = [
159 | "ec2:CreateTags"
160 | ],
161 | Resource = "*"
162 | }
163 | ]
164 | })
165 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.ec2_instance_policy
File: /ec2.tf:134-165
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
135 | name = "${local.application_name}-ec2-policy"
136 | role = aws_iam_role.ec2_instance_role.id
137 | policy = jsonencode({
138 | Version = "2012-10-17"
139 | Statement = [
140 | {
141 | Effect = "Allow",
142 | Action = [
143 | "logs:CreateLogGroup",
144 | "logs:CreateLogStream",
145 | "logs:DescribeLogStreams",
146 | "logs:PutRetentionPolicy",
147 | "logs:PutLogEvents",
148 | "logs:DescribeLogGroups",
149 | "cloudwatch:PutMetricData",
150 | "cloudwatch:GetMetricStatistics",
151 | "cloudwatch:ListMetrics",
152 | "ec2:DescribeInstances",
153 | ],
154 | Resource = "*"
155 | },
156 | {
157 | Effect = "Allow",
158 | Action = [
159 | "ec2:CreateTags"
160 | ],
161 | Resource = "*"
162 | }
163 | ]
164 | })
165 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.database
File: /ec2.tf:263-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
263 | resource "aws_cloudwatch_log_group" "database" {
264 | name = "${upper(local.application_name)}-EC2-database-alert"
265 | retention_in_days = 0
266 | # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
267 | tags = merge(
268 | local.tags,
269 | {
270 | Name = "${upper(local.application_name)}-EC2-database-alert"
271 | }
272 | )
273 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.pmon_status
File: /ec2.tf:288-298
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
288 | resource "aws_cloudwatch_log_group" "pmon_status" {
289 | name = "${upper(local.application_name)}-EC2-database-pmon-status"
290 | retention_in_days = 0
291 | # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
292 | tags = merge(
293 | local.tags,
294 | {
295 | Name = "${upper(local.application_name)}-EC2-database-pmon-status"
296 | }
297 | )
298 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.efs
File: /efs.tf:1-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
1 | resource "aws_kms_key" "efs" {
2 | description = "KMS key for encrypting EFS"
3 | # enable_key_rotation = true
4 | tags = local.tags
5 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.ssh_key
File: /lambda.tf:7-22
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337
7 | resource "aws_ssm_parameter" "ssh_key" {
8 | name = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
9 | description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
10 | type = "SecureString"
11 | value = "Placeholder"
12 |
13 | tags = merge(
14 | local.tags,
15 | { Name = "EC2_SSH_KEY" }
16 | )
17 | lifecycle {
18 | ignore_changes = [
19 | value,
20 | ]
21 | }
22 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
File: /modules/alb/main.tf:303-306
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
303 | resource "aws_secretsmanager_secret" "cloudfront" {
304 | name = "cloudfront-v1-secret-${var.application_name}"
305 | description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
306 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: module.alb.aws_acm_certificate.external_lb
File: /modules/alb/main.tf:658-668
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy
658 | resource "aws_acm_certificate" "external_lb" {
659 |
660 | domain_name = var.acm_cert_domain_name
661 | validation_method = "DNS"
662 | subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
663 | tags = var.tags
664 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
665 | lifecycle {
666 | prevent_destroy = false
667 | }
668 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.alb.s3-bucket[0]
File: /modules/alb/main.tf:124-179
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
File: /modules/codebuild/main.tf:25-39
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300
25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
26 | bucket = aws_s3_bucket.deployment_report.id
27 |
28 | rule {
29 | id = "monthly-expiration"
30 | expiration {
31 | days = var.s3_lifecycle_expiration_days
32 | }
33 | noncurrent_version_expiration {
34 | noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
35 | }
36 |
37 | status = "Enabled"
38 | }
39 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
File: /modules/codebuild/main.tf:163-229
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
File: /modules/codebuild/main.tf:163-229
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
File: /modules/codebuild/main.tf:231-280
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
File: /modules/ecs/main.tf:107-164
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
File: /modules/ecs/main.tf:107-164
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
File: /modules/ecs/main.tf:266-287
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions
266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
267 | family = "${var.app_name}-task-definition"
268 | count = var.container_instance_type == "windows" ? 1 : 0
269 | execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
270 | task_role_arn = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
271 | requires_compatibilities = [
272 | "EC2",
273 | ]
274 |
275 | # volume {
276 | # name = var.task_definition_volume
277 | # }
278 |
279 | container_definitions = var.task_definition
280 |
281 | tags = merge(
282 | var.tags_common,
283 | {
284 | Name = "${var.app_name}-windows-task-definition"
285 | }
286 | )
287 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
File: /modules/ecs/main.tf:439-467
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
440 | name = "${var.app_name}-ecs-service-policy"
441 | tags = merge(
442 | var.tags_common,
443 | {
444 | Name = "${var.app_name}-ecs-service-policy"
445 | }
446 | )
447 | policy = <<EOF
448 | {
449 | "Version": "2012-10-17",
450 | "Statement": [
451 | {
452 | "Effect": "Allow",
453 | "Action": [
454 | "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
455 | "elasticloadbalancing:DeregisterTargets",
456 | "elasticloadbalancing:Describe*",
457 | "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
458 | "elasticloadbalancing:RegisterTargets",
459 | "ec2:Describe*",
460 | "ec2:AuthorizeSecurityGroupIngress"
461 | ],
462 | "Resource": ["*"]
463 | }
464 | ]
465 | }
466 | EOF
467 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
File: /modules/ecs/main.tf:439-467
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
440 | name = "${var.app_name}-ecs-service-policy"
441 | tags = merge(
442 | var.tags_common,
443 | {
444 | Name = "${var.app_name}-ecs-service-policy"
445 | }
446 | )
447 | policy = <<EOF
448 | {
449 | "Version": "2012-10-17",
450 | "Statement": [
451 | {
452 | "Effect": "Allow",
453 | "Action": [
454 | "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
455 | "elasticloadbalancing:DeregisterTargets",
456 | "elasticloadbalancing:Describe*",
457 | "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
458 | "elasticloadbalancing:RegisterTargets",
459 | "ec2:Describe*",
460 | "ec2:AuthorizeSecurityGroupIngress"
461 | ],
462 | "Resource": ["*"]
463 | }
464 | ]
465 | }
466 | EOF
467 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
File: /modules/ecs/main.tf:488-499
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
489 | #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
490 | name = "${var.app_name}-ecs-container-logs"
491 | retention_in_days = 90
492 | kms_key_id = var.log_group_kms_key
493 | tags = merge(
494 | var.tags_common,
495 | {
496 | Name = "${var.app_name}-ecs-container-logs"
497 | }
498 | )
499 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
File: /modules/ecs/main.tf:506-516
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
506 | resource "aws_cloudwatch_log_group" "ec2" {
507 | name = "${var.app_name}-ecs-ec2-logs"
508 | retention_in_days = 90
509 | kms_key_id = var.log_group_kms_key
510 | tags = merge(
511 | var.tags_common,
512 | {
513 | Name = "${var.app_name}-ecs-ec2-logs"
514 | }
515 | )
516 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.apex
File: /sns.tf:6-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
6 | resource "aws_sns_topic" "apex" {
7 | name = "${local.application_name}-${local.environment}-alerting-topic"
8 | tags = merge(
9 | local.tags,
10 | {
11 | Name = "${local.application_name}-${local.environment}-alerting-topic"
12 | }
13 | )
14 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: pagerduty_core_alerts
File: /sns.tf:34-41
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
34 | module "pagerduty_core_alerts" {
35 | depends_on = [
36 | aws_sns_topic.apex
37 | ]
38 | source = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
39 | sns_topics = [aws_sns_topic.apex.name]
40 | pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
FAILED for resource: aws_waf_web_acl.waf_acl
File: /waf.tf:57-87
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31
57 | resource "aws_waf_web_acl" "waf_acl" {
58 | depends_on = [
59 | aws_waf_rule.wafmanualallowrule,
60 | aws_waf_rule.wafmanualblockrule,
61 | ]
62 | name = "${upper(local.application_name)} Whitelisting Requesters"
63 | metric_name = "${upper(local.application_name)}WhitelistingRequesters"
64 | # scope = "CLOUDFRONT"
65 | # provider = aws.us-east-1
66 | default_action {
67 | type = "BLOCK"
68 | }
69 |
70 | rules {
71 | action {
72 | type = "ALLOW"
73 | }
74 | priority = 1
75 | rule_id = aws_waf_rule.wafmanualallowrule.id
76 | type = "REGULAR"
77 | }
78 |
79 | rules {
80 | action {
81 | type = "BLOCK"
82 | }
83 | priority = 2
84 | rule_id = aws_waf_rule.wafmanualblockrule.id
85 | type = "REGULAR"
86 | }
87 | }
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
File: /lambda.tf:124-129
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112
124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
125 | bucket = aws_s3_bucket.backup_lambda.id
126 | rule {
127 | object_ownership = "ObjectWriter"
128 | }
129 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
File: /modules/alb/main.tf:303-306
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
303 | resource "aws_secretsmanager_secret" "cloudfront" {
304 | name = "cloudfront-v1-secret-${var.application_name}"
305 | description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
306 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/apex
*****************************
Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/alb.tf line 17:17:"${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/alb.tf line 19:19: zone_name ="${local.application_data.accounts[local.environment].acm_cert_domain_name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint forprovider"template"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/cloudwatch.tf line 401:401: data "template_file""dashboard" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint forprovider"local"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/ec2.tf line 40:40: data "local_file""cloudwatch_agent" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/event_triggers.tf line 22:22: input =jsonencode({ "appname":"${local.database_ec2_name}" })
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint forprovider"time"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/lambda.tf line 119:119: resource "time_sleep""wait_for_provision_files" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint forprovider"archive"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/lambda.tf line 173:173: data "archive_file""connect_db" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
tflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/apex
*****************************
Running Trivy in terraform/environments/apex
2024-09-12T13:25:34Z INFO [db] Need to update DB
2024-09-12T13:25:34Z INFO [db] Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-09-12T13:25:37Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T13:25:37Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T13:25:37Z INFO Need to update the built-in policies
2024-09-12T13:25:37Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-09-12T13:25:37Z INFO [secret] Secret scanning is enabled
2024-09-12T13:25:37Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T13:25:37Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection2024-09-12T13:25:37Z INFO [terraformscanner] Scanning root module file_path="."2024-09-12T13:25:37Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2024-09-12T13:25:37Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_set_descriptors"value="cty.NilVal"2024-09-12T13:25:37Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_set_descriptors"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_core_network_services"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_core_vpc"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_self"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.core_network_services"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.core_vpc"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.self"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.expiration"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.transition"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.principals"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.condition"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.expiration"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.transition"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.principals"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.condition"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.apex-ecs.dynamic.tag"value="cty.NilVal"2024-09-12T13:25:38Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.apex-ecs.dynamic.tag"value="cty.NilVal"2024-09-12T13:25:38Z INFO [terraformscanner] Scanning root module file_path="modules/lambdapolicy"2024-09-12T13:25:38Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="tags"2024-09-12T13:25:38Z INFO [terraformscanner] Scanning root module file_path="modules/s3"2024-09-12T13:25:38Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="tags"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-elb-alb-not-public"range="modules/alb/main.tf:242"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:84"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:217-230"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:217-230"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:231"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:462"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:84"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:462"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-s3-enable-bucket-encryption"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-s3-enable-versioning"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:52"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:25:38Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:52"2024-09-12T13:25:39Z INFO Number of language-specific files num=02024-09-12T13:25:39Z INFO Detected config files num=14
cloudfront.tf (terraform)
=========================
Tests:15 (SUCCESSES:13, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version="TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version="TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.
See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource"aws_cloudfront_distribution""external" {
...243 [ minimum_protocol_version = "TLSv1.2_2018"...266 }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm ="AES256"135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required138 └ lifecycle {
...
────────────────────────────────────────
ec2.tf (terraform)
==================
Tests:16 (SUCCESSES:11, FAILURES:2, EXCEPTIONS:3)
Failures:2 (HIGH:1, CRITICAL:1)
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-38
────────────────────────────────────────
6 ┌ resource "aws_instance""apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address =false9 │ availability_zone ="eu-west-2a"10 │ ebs_optimized =true11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring =true14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2.tf:105
via ec2.tf:103-107 (aws_vpc_security_group_egress_rule.db_outbound)
────────────────────────────────────────
103 resource "aws_vpc_security_group_egress_rule""db_outbound" {
104 security_group_id = aws_security_group.database.id
105 [ cidr_ipv4 ="0.0.0.0/0"106 ip_protocol ="-1"107 }
────────────────────────────────────────
lambda.tf (terraform)
=====================
Tests:54 (SUCCESSES:7, FAILURES:3, EXCEPTIONS:44)
Failures:3 (HIGH:2, CRITICAL:1)
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket""backup_lambda" {
102 │ bucket ="${local.application_name}-${local.environment}-backup-lambda"103 │ tags =merge(
104 │ local.tags,
105 │ { Name ="${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group""backup_lambda" {
...194 [ cidr_blocks = ["0.0.0.0/0"]
...201 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket""backup_lambda" {
102 │ bucket ="${local.application_name}-${local.environment}-backup-lambda"103 │ tags =merge(
104 │ local.tags,
105 │ { Name ="${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────
modules/alb/main.tf (terraform)
===============================
Tests:8 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:1)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group""lb" {
...289 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
...293 }
────────────────────────────────────────
modules/ecs/main.tf (terraform)
===============================
Tests:33 (SUCCESSES:2, FAILURES:2, EXCEPTIONS:29)
Failures:2 (HIGH:1, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group""cluster_ec2" {
..
85 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template""ec2-launch-template" {
...121 [ http_tokens ="optional"...164 }
────────────────────────────────────────
modules/s3/main.tf (terraform)
==============================
Tests:7 (SUCCESSES:5, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket""laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket""laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────
sns.tf (terraform)
==================
Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.
See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
sns.tf:6-14
────────────────────────────────────────
6 ┌ resource "aws_sns_topic""apex" {
7 │ name ="${local.application_name}-${local.environment}-alerting-topic"8 │ tags =merge(
9 │ local.tags,
10 │ {
11 │ Name ="${local.application_name}-${local.environment}-alerting-topic"12 │ }
13 │ )
14 └ }
────────────────────────────────────────
trivy_exitcode=1
HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.
See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource "aws_cloudfront_distribution" "external" {
...
243 [ minimum_protocol_version = "TLSv1.2_2018"
...
266 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm = "AES256"
135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
138 └ lifecycle {
...
────────────────────────────────────────
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group" "backup_lambda" {
...
194 [ cidr_blocks = ["0.0.0.0/0"]
...
201 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group" "lb" {
...
289 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
293 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group" "cluster_ec2" {
..
85 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/apex
*****************************
Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-12 13:48:52,457 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-09-12 13:48:52,458 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 358, Failed checks: 94, Skipped checks: 5, Parsing errors: 1
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
FAILED for resource: aws_backup_vault.apex
File: /backups.tf:10-16
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk
10 | resource "aws_backup_vault" "apex" {
11 | name = "${local.application_name}-backup-vault"
12 | tags = merge(
13 | local.tags,
14 | { "Name" = "${local.application_name}-backup-vault" },
15 | )
16 | }
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
File: /cloudfront.tf:156-174
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300
156 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
157 | count = local.environment == "production" ? 1 : 0
158 | bucket = aws_s3_bucket.cloudfront.id
159 |
160 | rule {
161 | id = "delete-after-90days"
162 |
163 | expiration {
164 | days = 90
165 | }
166 |
167 | noncurrent_version_expiration {
168 | newer_noncurrent_versions = 1
169 | noncurrent_days = 90
170 | }
171 |
172 | status = "Enabled"
173 | }
174 | }
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.cloudfront
File: /cloudfront.tf:294-304
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy
294 | resource "aws_acm_certificate" "cloudfront" {
295 | domain_name = local.environment == "production" ? data.aws_route53_zone.production_network_services.name : local.application_data.accounts[local.environment].acm_cert_domain_name
296 | validation_method = "DNS"
297 | provider = aws.us-east-1
298 | subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
299 | tags = local.tags
300 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
301 | lifecycle {
302 | prevent_destroy = false
303 | }
304 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.apex_db_instance
File: /ec2.tf:6-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
6 | resource "aws_instance" "apex_db_instance" {
7 | ami = local.application_data.accounts[local.environment].ec2amiid
8 | associate_public_ip_address = false
9 | availability_zone = "eu-west-2a"
10 | ebs_optimized = true
11 | instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 | vpc_security_group_ids = [aws_security_group.database.id]
13 | monitoring = true
14 | subnet_id = data.aws_subnet.data_subnets_a.id
15 | iam_instance_profile = aws_iam_instance_profile.ec2_instance_profile.id
16 | key_name = aws_key_pair.apex.key_name
17 | user_data_base64 = base64encode(local.database-instance-userdata)
18 | user_data_replace_on_change = local.application_data.accounts[local.environment].user_data_replace_on_change
19 |
20 |
21 | root_block_device {
22 | delete_on_termination = false
23 | encrypted = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
24 | volume_size = 60
25 | volume_type = "gp2"
26 | tags = merge(
27 | local.tags,
28 | { "Name" = "${local.application_name}db-ec2-root" },
29 | )
30 | }
31 |
32 | tags = merge(
33 | local.tags,
34 | { "Name" = local.database_ec2_name },
35 | { "instance-scheduling" = "skip-scheduling" },
36 | { "snapshot-with-daily-7-day-retention" = "yes" }
37 | )
38 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
File: /ec2.tf:75-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
75 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
76 | security_group_id = aws_security_group.database.id
77 | description = "Allow Lambda SSH access for backup snapshots"
78 | referenced_security_group_id = aws_security_group.backup_lambda.id
79 | from_port = 22
80 | ip_protocol = "tcp"
81 | to_port = 22
82 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
File: /ec2.tf:103-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
103 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
104 | security_group_id = aws_security_group.database.id
105 | cidr_ipv4 = "0.0.0.0/0"
106 | ip_protocol = "-1"
107 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.ec2_instance_policy
File: /ec2.tf:134-165
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
135 | name = "${local.application_name}-ec2-policy"
136 | role = aws_iam_role.ec2_instance_role.id
137 | policy = jsonencode({
138 | Version = "2012-10-17"
139 | Statement = [
140 | {
141 | Effect = "Allow",
142 | Action = [
143 | "logs:CreateLogGroup",
144 | "logs:CreateLogStream",
145 | "logs:DescribeLogStreams",
146 | "logs:PutRetentionPolicy",
147 | "logs:PutLogEvents",
148 | "logs:DescribeLogGroups",
149 | "cloudwatch:PutMetricData",
150 | "cloudwatch:GetMetricStatistics",
151 | "cloudwatch:ListMetrics",
152 | "ec2:DescribeInstances",
153 | ],
154 | Resource = "*"
155 | },
156 | {
157 | Effect = "Allow",
158 | Action = [
159 | "ec2:CreateTags"
160 | ],
161 | Resource = "*"
162 | }
163 | ]
164 | })
165 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.ec2_instance_policy
File: /ec2.tf:134-165
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
135 | name = "${local.application_name}-ec2-policy"
136 | role = aws_iam_role.ec2_instance_role.id
137 | policy = jsonencode({
138 | Version = "2012-10-17"
139 | Statement = [
140 | {
141 | Effect = "Allow",
142 | Action = [
143 | "logs:CreateLogGroup",
144 | "logs:CreateLogStream",
145 | "logs:DescribeLogStreams",
146 | "logs:PutRetentionPolicy",
147 | "logs:PutLogEvents",
148 | "logs:DescribeLogGroups",
149 | "cloudwatch:PutMetricData",
150 | "cloudwatch:GetMetricStatistics",
151 | "cloudwatch:ListMetrics",
152 | "ec2:DescribeInstances",
153 | ],
154 | Resource = "*"
155 | },
156 | {
157 | Effect = "Allow",
158 | Action = [
159 | "ec2:CreateTags"
160 | ],
161 | Resource = "*"
162 | }
163 | ]
164 | })
165 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.database
File: /ec2.tf:263-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
263 | resource "aws_cloudwatch_log_group" "database" {
264 | name = "${upper(local.application_name)}-EC2-database-alert"
265 | retention_in_days = 0
266 | # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
267 | tags = merge(
268 | local.tags,
269 | {
270 | Name = "${upper(local.application_name)}-EC2-database-alert"
271 | }
272 | )
273 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.pmon_status
File: /ec2.tf:288-298
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
288 | resource "aws_cloudwatch_log_group" "pmon_status" {
289 | name = "${upper(local.application_name)}-EC2-database-pmon-status"
290 | retention_in_days = 0
291 | # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
292 | tags = merge(
293 | local.tags,
294 | {
295 | Name = "${upper(local.application_name)}-EC2-database-pmon-status"
296 | }
297 | )
298 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.efs
File: /efs.tf:1-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
1 | resource "aws_kms_key" "efs" {
2 | description = "KMS key for encrypting EFS"
3 | # enable_key_rotation = true
4 | tags = local.tags
5 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.ssh_key
File: /lambda.tf:7-22
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337
7 | resource "aws_ssm_parameter" "ssh_key" {
8 | name = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
9 | description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
10 | type = "SecureString"
11 | value = "Placeholder"
12 |
13 | tags = merge(
14 | local.tags,
15 | { Name = "EC2_SSH_KEY" }
16 | )
17 | lifecycle {
18 | ignore_changes = [
19 | value,
20 | ]
21 | }
22 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.alb.s3-bucket[0]
File: /modules/alb/main.tf:124-179
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
File: /modules/alb/main.tf:303-306
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
303 | resource "aws_secretsmanager_secret" "cloudfront" {
304 | name = "cloudfront-v1-secret-${var.application_name}"
305 | description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
306 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: module.alb.aws_acm_certificate.external_lb
File: /modules/alb/main.tf:658-668
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy
658 | resource "aws_acm_certificate" "external_lb" {
659 |
660 | domain_name = var.acm_cert_domain_name
661 | validation_method = "DNS"
662 | subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
663 | tags = var.tags
664 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
665 | lifecycle {
666 | prevent_destroy = false
667 | }
668 | }
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
File: /modules/codebuild/main.tf:25-39
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300
25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
26 | bucket = aws_s3_bucket.deployment_report.id
27 |
28 | rule {
29 | id = "monthly-expiration"
30 | expiration {
31 | days = var.s3_lifecycle_expiration_days
32 | }
33 | noncurrent_version_expiration {
34 | noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
35 | }
36 |
37 | status = "Enabled"
38 | }
39 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
File: /modules/codebuild/main.tf:163-229
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
File: /modules/codebuild/main.tf:163-229
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
File: /modules/codebuild/main.tf:231-280
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
File: /modules/ecs/main.tf:107-164
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
File: /modules/ecs/main.tf:107-164
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
File: /modules/ecs/main.tf:266-287
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions
266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
267 | family = "${var.app_name}-task-definition"
268 | count = var.container_instance_type == "windows" ? 1 : 0
269 | execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
270 | task_role_arn = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
271 | requires_compatibilities = [
272 | "EC2",
273 | ]
274 |
275 | # volume {
276 | # name = var.task_definition_volume
277 | # }
278 |
279 | container_definitions = var.task_definition
280 |
281 | tags = merge(
282 | var.tags_common,
283 | {
284 | Name = "${var.app_name}-windows-task-definition"
285 | }
286 | )
287 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
File: /modules/ecs/main.tf:439-467
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
440 | name = "${var.app_name}-ecs-service-policy"
441 | tags = merge(
442 | var.tags_common,
443 | {
444 | Name = "${var.app_name}-ecs-service-policy"
445 | }
446 | )
447 | policy = <<EOF
448 | {
449 | "Version": "2012-10-17",
450 | "Statement": [
451 | {
452 | "Effect": "Allow",
453 | "Action": [
454 | "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
455 | "elasticloadbalancing:DeregisterTargets",
456 | "elasticloadbalancing:Describe*",
457 | "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
458 | "elasticloadbalancing:RegisterTargets",
459 | "ec2:Describe*",
460 | "ec2:AuthorizeSecurityGroupIngress"
461 | ],
462 | "Resource": ["*"]
463 | }
464 | ]
465 | }
466 | EOF
467 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
File: /modules/ecs/main.tf:439-467
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
440 | name = "${var.app_name}-ecs-service-policy"
441 | tags = merge(
442 | var.tags_common,
443 | {
444 | Name = "${var.app_name}-ecs-service-policy"
445 | }
446 | )
447 | policy = <<EOF
448 | {
449 | "Version": "2012-10-17",
450 | "Statement": [
451 | {
452 | "Effect": "Allow",
453 | "Action": [
454 | "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
455 | "elasticloadbalancing:DeregisterTargets",
456 | "elasticloadbalancing:Describe*",
457 | "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
458 | "elasticloadbalancing:RegisterTargets",
459 | "ec2:Describe*",
460 | "ec2:AuthorizeSecurityGroupIngress"
461 | ],
462 | "Resource": ["*"]
463 | }
464 | ]
465 | }
466 | EOF
467 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
File: /modules/ecs/main.tf:488-499
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
489 | #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
490 | name = "${var.app_name}-ecs-container-logs"
491 | retention_in_days = 90
492 | kms_key_id = var.log_group_kms_key
493 | tags = merge(
494 | var.tags_common,
495 | {
496 | Name = "${var.app_name}-ecs-container-logs"
497 | }
498 | )
499 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
File: /modules/ecs/main.tf:506-516
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
506 | resource "aws_cloudwatch_log_group" "ec2" {
507 | name = "${var.app_name}-ecs-ec2-logs"
508 | retention_in_days = 90
509 | kms_key_id = var.log_group_kms_key
510 | tags = merge(
511 | var.tags_common,
512 | {
513 | Name = "${var.app_name}-ecs-ec2-logs"
514 | }
515 | )
516 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: pagerduty_core_alerts
File: /sns.tf:34-41
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
34 | module "pagerduty_core_alerts" {
35 | depends_on = [
36 | aws_sns_topic.apex
37 | ]
38 | source = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
39 | sns_topics = [aws_sns_topic.apex.name]
40 | pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.apex
File: /sns.tf:6-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
6 | resource "aws_sns_topic" "apex" {
7 | name = "${local.application_name}-${local.environment}-alerting-topic"
8 | tags = merge(
9 | local.tags,
10 | {
11 | Name = "${local.application_name}-${local.environment}-alerting-topic"
12 | }
13 | )
14 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
FAILED for resource: aws_waf_web_acl.waf_acl
File: /waf.tf:57-87
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31
57 | resource "aws_waf_web_acl" "waf_acl" {
58 | depends_on = [
59 | aws_waf_rule.wafmanualallowrule,
60 | aws_waf_rule.wafmanualblockrule,
61 | ]
62 | name = "${upper(local.application_name)} Whitelisting Requesters"
63 | metric_name = "${upper(local.application_name)}WhitelistingRequesters"
64 | # scope = "CLOUDFRONT"
65 | # provider = aws.us-east-1
66 | default_action {
67 | type = "BLOCK"
68 | }
69 |
70 | rules {
71 | action {
72 | type = "ALLOW"
73 | }
74 | priority = 1
75 | rule_id = aws_waf_rule.wafmanualallowrule.id
76 | type = "REGULAR"
77 | }
78 |
79 | rules {
80 | action {
81 | type = "BLOCK"
82 | }
83 | priority = 2
84 | rule_id = aws_waf_rule.wafmanualblockrule.id
85 | type = "REGULAR"
86 | }
87 | }
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
File: /modules/alb/main.tf:303-306
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
303 | resource "aws_secretsmanager_secret" "cloudfront" {
304 | name = "cloudfront-v1-secret-${var.application_name}"
305 | description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
306 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
File: /lambda.tf:124-129
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112
124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
125 | bucket = aws_s3_bucket.backup_lambda.id
126 | rule {
127 | object_ownership = "ObjectWriter"
128 | }
129 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/apex
*****************************
Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/alb.tf line 17:17:"${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/alb.tf line 19:19: zone_name ="${local.application_data.accounts[local.environment].acm_cert_domain_name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint forprovider"template"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/cloudwatch.tf line 401:401: data "template_file""dashboard" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint forprovider"local"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/ec2.tf line 40:40: data "local_file""cloudwatch_agent" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/event_triggers.tf line 22:22: input =jsonencode({ "appname":"${local.database_ec2_name}" })
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint forprovider"time"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/lambda.tf line 119:119: resource "time_sleep""wait_for_provision_files" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint forprovider"archive"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/lambda.tf line 173:173: data "archive_file""connect_db" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
tflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/apex
*****************************
Running Trivy in terraform/environments/apex
2024-09-12T13:48:43Z INFO [db] Need to update DB
2024-09-12T13:48:43Z INFO [db] Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-09-12T13:48:46Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T13:48:46Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T13:48:46Z INFO Need to update the built-in policies
2024-09-12T13:48:46Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-09-12T13:48:46Z INFO [secret] Secret scanning is enabled
2024-09-12T13:48:46Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T13:48:46Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection2024-09-12T13:48:47Z INFO [terraformscanner] Scanning root module file_path="."2024-09-12T13:48:47Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2024-09-12T13:48:47Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_set_descriptors"value="cty.NilVal"2024-09-12T13:48:47Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_set_descriptors"value="cty.NilVal"2024-09-12T13:48:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_core_network_services"value="cty.NilVal"2024-09-12T13:48:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_core_vpc"value="cty.NilVal"2024-09-12T13:48:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_self"value="cty.NilVal"2024-09-12T13:48:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.core_network_services"value="cty.NilVal"2024-09-12T13:48:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.core_vpc"value="cty.NilVal"2024-09-12T13:48:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.self"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.expiration"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.transition"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.principals"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.condition"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.expiration"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.transition"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.principals"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.condition"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.apex-ecs.dynamic.tag"value="cty.NilVal"2024-09-12T13:48:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.apex-ecs.dynamic.tag"value="cty.NilVal"2024-09-12T13:48:49Z INFO [terraformscanner] Scanning root module file_path="modules/lambdapolicy"2024-09-12T13:48:49Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="tags"2024-09-12T13:48:49Z INFO [terraformscanner] Scanning root module file_path="modules/s3"2024-09-12T13:48:49Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="tags"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-elb-alb-not-public"range="modules/alb/main.tf:242"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:84"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:217-230"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:217-230"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:231"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:462"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:84"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:462"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-s3-enable-bucket-encryption"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-s3-enable-versioning"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:52"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:48:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:52"2024-09-12T13:48:49Z INFO Number of language-specific files num=02024-09-12T13:48:49Z INFO Detected config files num=14
cloudfront.tf (terraform)
=========================
Tests:15 (SUCCESSES:13, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version="TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version="TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.
See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource"aws_cloudfront_distribution""external" {
...243 [ minimum_protocol_version = "TLSv1.2_2018"...266 }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm ="AES256"135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required138 └ lifecycle {
...
────────────────────────────────────────
ec2.tf (terraform)
==================
Tests:16 (SUCCESSES:11, FAILURES:2, EXCEPTIONS:3)
Failures:2 (HIGH:1, CRITICAL:1)
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-38
────────────────────────────────────────
6 ┌ resource "aws_instance""apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address =false9 │ availability_zone ="eu-west-2a"10 │ ebs_optimized =true11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring =true14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2.tf:105
via ec2.tf:103-107 (aws_vpc_security_group_egress_rule.db_outbound)
────────────────────────────────────────
103 resource "aws_vpc_security_group_egress_rule""db_outbound" {
104 security_group_id = aws_security_group.database.id
105 [ cidr_ipv4 ="0.0.0.0/0"106 ip_protocol ="-1"107 }
────────────────────────────────────────
lambda.tf (terraform)
=====================
Tests:54 (SUCCESSES:7, FAILURES:3, EXCEPTIONS:44)
Failures:3 (HIGH:2, CRITICAL:1)
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket""backup_lambda" {
102 │ bucket ="${local.application_name}-${local.environment}-backup-lambda"103 │ tags =merge(
104 │ local.tags,
105 │ { Name ="${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group""backup_lambda" {
...194 [ cidr_blocks = ["0.0.0.0/0"]
...201 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket""backup_lambda" {
102 │ bucket ="${local.application_name}-${local.environment}-backup-lambda"103 │ tags =merge(
104 │ local.tags,
105 │ { Name ="${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────
modules/alb/main.tf (terraform)
===============================
Tests:8 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:1)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group""lb" {
...289 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
...293 }
────────────────────────────────────────
modules/ecs/main.tf (terraform)
===============================
Tests:33 (SUCCESSES:2, FAILURES:2, EXCEPTIONS:29)
Failures:2 (HIGH:1, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group""cluster_ec2" {
..
85 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template""ec2-launch-template" {
...121 [ http_tokens ="optional"...164 }
────────────────────────────────────────
modules/s3/main.tf (terraform)
==============================
Tests:7 (SUCCESSES:5, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket""laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket""laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────
sns.tf (terraform)
==================
Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.
See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
sns.tf:6-14
────────────────────────────────────────
6 ┌ resource "aws_sns_topic""apex" {
7 │ name ="${local.application_name}-${local.environment}-alerting-topic"8 │ tags =merge(
9 │ local.tags,
10 │ {
11 │ Name ="${local.application_name}-${local.environment}-alerting-topic"12 │ }
13 │ )
14 └ }
────────────────────────────────────────
trivy_exitcode=1
HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.
See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource "aws_cloudfront_distribution" "external" {
...
243 [ minimum_protocol_version = "TLSv1.2_2018"
...
266 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm = "AES256"
135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
138 └ lifecycle {
...
────────────────────────────────────────
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group" "backup_lambda" {
...
194 [ cidr_blocks = ["0.0.0.0/0"]
...
201 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group" "lb" {
...
289 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
293 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group" "cluster_ec2" {
..
85 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/apex
*****************************
Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-12 13:58:20,785 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-09-12 13:58:20,785 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 358, Failed checks: 94, Skipped checks: 5, Parsing errors: 1
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
FAILED for resource: aws_backup_vault.apex
File: /backups.tf:10-16
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk
10 | resource "aws_backup_vault" "apex" {
11 | name = "${local.application_name}-backup-vault"
12 | tags = merge(
13 | local.tags,
14 | { "Name" = "${local.application_name}-backup-vault" },
15 | )
16 | }
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
File: /cloudfront.tf:156-174
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300
156 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
157 | count = local.environment == "production" ? 1 : 0
158 | bucket = aws_s3_bucket.cloudfront.id
159 |
160 | rule {
161 | id = "delete-after-90days"
162 |
163 | expiration {
164 | days = 90
165 | }
166 |
167 | noncurrent_version_expiration {
168 | newer_noncurrent_versions = 1
169 | noncurrent_days = 90
170 | }
171 |
172 | status = "Enabled"
173 | }
174 | }
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.cloudfront
File: /cloudfront.tf:294-304
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy
294 | resource "aws_acm_certificate" "cloudfront" {
295 | domain_name = local.environment == "production" ? data.aws_route53_zone.production_network_services.name : local.application_data.accounts[local.environment].acm_cert_domain_name
296 | validation_method = "DNS"
297 | provider = aws.us-east-1
298 | subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
299 | tags = local.tags
300 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
301 | lifecycle {
302 | prevent_destroy = false
303 | }
304 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.apex_db_instance
File: /ec2.tf:6-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
6 | resource "aws_instance" "apex_db_instance" {
7 | ami = local.application_data.accounts[local.environment].ec2amiid
8 | associate_public_ip_address = false
9 | availability_zone = "eu-west-2a"
10 | ebs_optimized = true
11 | instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 | vpc_security_group_ids = [aws_security_group.database.id]
13 | monitoring = true
14 | subnet_id = data.aws_subnet.data_subnets_a.id
15 | iam_instance_profile = aws_iam_instance_profile.ec2_instance_profile.id
16 | key_name = aws_key_pair.apex.key_name
17 | user_data_base64 = base64encode(local.database-instance-userdata)
18 | user_data_replace_on_change = local.application_data.accounts[local.environment].user_data_replace_on_change
19 |
20 |
21 | root_block_device {
22 | delete_on_termination = false
23 | encrypted = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
24 | volume_size = 60
25 | volume_type = "gp2"
26 | tags = merge(
27 | local.tags,
28 | { "Name" = "${local.application_name}db-ec2-root" },
29 | )
30 | }
31 |
32 | tags = merge(
33 | local.tags,
34 | { "Name" = local.database_ec2_name },
35 | { "instance-scheduling" = "skip-scheduling" },
36 | { "snapshot-with-daily-7-day-retention" = "yes" }
37 | )
38 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
File: /ec2.tf:75-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
75 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
76 | security_group_id = aws_security_group.database.id
77 | description = "Allow Lambda SSH access for backup snapshots"
78 | referenced_security_group_id = aws_security_group.backup_lambda.id
79 | from_port = 22
80 | ip_protocol = "tcp"
81 | to_port = 22
82 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
File: /ec2.tf:103-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
103 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
104 | security_group_id = aws_security_group.database.id
105 | cidr_ipv4 = "0.0.0.0/0"
106 | ip_protocol = "-1"
107 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.ec2_instance_policy
File: /ec2.tf:134-165
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
135 | name = "${local.application_name}-ec2-policy"
136 | role = aws_iam_role.ec2_instance_role.id
137 | policy = jsonencode({
138 | Version = "2012-10-17"
139 | Statement = [
140 | {
141 | Effect = "Allow",
142 | Action = [
143 | "logs:CreateLogGroup",
144 | "logs:CreateLogStream",
145 | "logs:DescribeLogStreams",
146 | "logs:PutRetentionPolicy",
147 | "logs:PutLogEvents",
148 | "logs:DescribeLogGroups",
149 | "cloudwatch:PutMetricData",
150 | "cloudwatch:GetMetricStatistics",
151 | "cloudwatch:ListMetrics",
152 | "ec2:DescribeInstances",
153 | ],
154 | Resource = "*"
155 | },
156 | {
157 | Effect = "Allow",
158 | Action = [
159 | "ec2:CreateTags"
160 | ],
161 | Resource = "*"
162 | }
163 | ]
164 | })
165 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.ec2_instance_policy
File: /ec2.tf:134-165
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
135 | name = "${local.application_name}-ec2-policy"
136 | role = aws_iam_role.ec2_instance_role.id
137 | policy = jsonencode({
138 | Version = "2012-10-17"
139 | Statement = [
140 | {
141 | Effect = "Allow",
142 | Action = [
143 | "logs:CreateLogGroup",
144 | "logs:CreateLogStream",
145 | "logs:DescribeLogStreams",
146 | "logs:PutRetentionPolicy",
147 | "logs:PutLogEvents",
148 | "logs:DescribeLogGroups",
149 | "cloudwatch:PutMetricData",
150 | "cloudwatch:GetMetricStatistics",
151 | "cloudwatch:ListMetrics",
152 | "ec2:DescribeInstances",
153 | ],
154 | Resource = "*"
155 | },
156 | {
157 | Effect = "Allow",
158 | Action = [
159 | "ec2:CreateTags"
160 | ],
161 | Resource = "*"
162 | }
163 | ]
164 | })
165 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.database
File: /ec2.tf:263-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
263 | resource "aws_cloudwatch_log_group" "database" {
264 | name = "${upper(local.application_name)}-EC2-database-alert"
265 | retention_in_days = 0
266 | # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
267 | tags = merge(
268 | local.tags,
269 | {
270 | Name = "${upper(local.application_name)}-EC2-database-alert"
271 | }
272 | )
273 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.pmon_status
File: /ec2.tf:288-298
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
288 | resource "aws_cloudwatch_log_group" "pmon_status" {
289 | name = "${upper(local.application_name)}-EC2-database-pmon-status"
290 | retention_in_days = 0
291 | # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
292 | tags = merge(
293 | local.tags,
294 | {
295 | Name = "${upper(local.application_name)}-EC2-database-pmon-status"
296 | }
297 | )
298 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.efs
File: /efs.tf:1-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
1 | resource "aws_kms_key" "efs" {
2 | description = "KMS key for encrypting EFS"
3 | # enable_key_rotation = true
4 | tags = local.tags
5 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.ssh_key
File: /lambda.tf:7-22
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337
7 | resource "aws_ssm_parameter" "ssh_key" {
8 | name = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
9 | description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
10 | type = "SecureString"
11 | value = "Placeholder"
12 |
13 | tags = merge(
14 | local.tags,
15 | { Name = "EC2_SSH_KEY" }
16 | )
17 | lifecycle {
18 | ignore_changes = [
19 | value,
20 | ]
21 | }
22 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
File: /modules/alb/main.tf:303-306
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
303 | resource "aws_secretsmanager_secret" "cloudfront" {
304 | name = "cloudfront-v1-secret-${var.application_name}"
305 | description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
306 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: module.alb.aws_acm_certificate.external_lb
File: /modules/alb/main.tf:658-668
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy
658 | resource "aws_acm_certificate" "external_lb" {
659 |
660 | domain_name = var.acm_cert_domain_name
661 | validation_method = "DNS"
662 | subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
663 | tags = var.tags
664 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
665 | lifecycle {
666 | prevent_destroy = false
667 | }
668 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.alb.s3-bucket[0]
File: /modules/alb/main.tf:124-179
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
File: /modules/codebuild/main.tf:25-39
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300
25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
26 | bucket = aws_s3_bucket.deployment_report.id
27 |
28 | rule {
29 | id = "monthly-expiration"
30 | expiration {
31 | days = var.s3_lifecycle_expiration_days
32 | }
33 | noncurrent_version_expiration {
34 | noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
35 | }
36 |
37 | status = "Enabled"
38 | }
39 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
File: /modules/codebuild/main.tf:163-229
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
File: /modules/codebuild/main.tf:163-229
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
File: /modules/codebuild/main.tf:231-280
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
File: /modules/ecs/main.tf:107-164
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
File: /modules/ecs/main.tf:107-164
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
File: /modules/ecs/main.tf:266-287
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions
266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
267 | family = "${var.app_name}-task-definition"
268 | count = var.container_instance_type == "windows" ? 1 : 0
269 | execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
270 | task_role_arn = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
271 | requires_compatibilities = [
272 | "EC2",
273 | ]
274 |
275 | # volume {
276 | # name = var.task_definition_volume
277 | # }
278 |
279 | container_definitions = var.task_definition
280 |
281 | tags = merge(
282 | var.tags_common,
283 | {
284 | Name = "${var.app_name}-windows-task-definition"
285 | }
286 | )
287 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
File: /modules/ecs/main.tf:439-467
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
440 | name = "${var.app_name}-ecs-service-policy"
441 | tags = merge(
442 | var.tags_common,
443 | {
444 | Name = "${var.app_name}-ecs-service-policy"
445 | }
446 | )
447 | policy = <<EOF
448 | {
449 | "Version": "2012-10-17",
450 | "Statement": [
451 | {
452 | "Effect": "Allow",
453 | "Action": [
454 | "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
455 | "elasticloadbalancing:DeregisterTargets",
456 | "elasticloadbalancing:Describe*",
457 | "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
458 | "elasticloadbalancing:RegisterTargets",
459 | "ec2:Describe*",
460 | "ec2:AuthorizeSecurityGroupIngress"
461 | ],
462 | "Resource": ["*"]
463 | }
464 | ]
465 | }
466 | EOF
467 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
File: /modules/ecs/main.tf:439-467
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
440 | name = "${var.app_name}-ecs-service-policy"
441 | tags = merge(
442 | var.tags_common,
443 | {
444 | Name = "${var.app_name}-ecs-service-policy"
445 | }
446 | )
447 | policy = <<EOF
448 | {
449 | "Version": "2012-10-17",
450 | "Statement": [
451 | {
452 | "Effect": "Allow",
453 | "Action": [
454 | "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
455 | "elasticloadbalancing:DeregisterTargets",
456 | "elasticloadbalancing:Describe*",
457 | "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
458 | "elasticloadbalancing:RegisterTargets",
459 | "ec2:Describe*",
460 | "ec2:AuthorizeSecurityGroupIngress"
461 | ],
462 | "Resource": ["*"]
463 | }
464 | ]
465 | }
466 | EOF
467 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
File: /modules/ecs/main.tf:488-499
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
489 | #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
490 | name = "${var.app_name}-ecs-container-logs"
491 | retention_in_days = 90
492 | kms_key_id = var.log_group_kms_key
493 | tags = merge(
494 | var.tags_common,
495 | {
496 | Name = "${var.app_name}-ecs-container-logs"
497 | }
498 | )
499 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
File: /modules/ecs/main.tf:506-516
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
506 | resource "aws_cloudwatch_log_group" "ec2" {
507 | name = "${var.app_name}-ecs-ec2-logs"
508 | retention_in_days = 90
509 | kms_key_id = var.log_group_kms_key
510 | tags = merge(
511 | var.tags_common,
512 | {
513 | Name = "${var.app_name}-ecs-ec2-logs"
514 | }
515 | )
516 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.apex
File: /sns.tf:6-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
6 | resource "aws_sns_topic" "apex" {
7 | name = "${local.application_name}-${local.environment}-alerting-topic"
8 | tags = merge(
9 | local.tags,
10 | {
11 | Name = "${local.application_name}-${local.environment}-alerting-topic"
12 | }
13 | )
14 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: pagerduty_core_alerts
File: /sns.tf:34-41
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
34 | module "pagerduty_core_alerts" {
35 | depends_on = [
36 | aws_sns_topic.apex
37 | ]
38 | source = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
39 | sns_topics = [aws_sns_topic.apex.name]
40 | pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
FAILED for resource: aws_waf_web_acl.waf_acl
File: /waf.tf:57-87
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31
57 | resource "aws_waf_web_acl" "waf_acl" {
58 | depends_on = [
59 | aws_waf_rule.wafmanualallowrule,
60 | aws_waf_rule.wafmanualblockrule,
61 | ]
62 | name = "${upper(local.application_name)} Whitelisting Requesters"
63 | metric_name = "${upper(local.application_name)}WhitelistingRequesters"
64 | # scope = "CLOUDFRONT"
65 | # provider = aws.us-east-1
66 | default_action {
67 | type = "BLOCK"
68 | }
69 |
70 | rules {
71 | action {
72 | type = "ALLOW"
73 | }
74 | priority = 1
75 | rule_id = aws_waf_rule.wafmanualallowrule.id
76 | type = "REGULAR"
77 | }
78 |
79 | rules {
80 | action {
81 | type = "BLOCK"
82 | }
83 | priority = 2
84 | rule_id = aws_waf_rule.wafmanualblockrule.id
85 | type = "REGULAR"
86 | }
87 | }
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
File: /lambda.tf:124-129
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112
124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
125 | bucket = aws_s3_bucket.backup_lambda.id
126 | rule {
127 | object_ownership = "ObjectWriter"
128 | }
129 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
File: /modules/alb/main.tf:303-306
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
303 | resource "aws_secretsmanager_secret" "cloudfront" {
304 | name = "cloudfront-v1-secret-${var.application_name}"
305 | description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
306 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/apex
*****************************
Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/alb.tf line 17:17:"${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/alb.tf line 19:19: zone_name ="${local.application_data.accounts[local.environment].acm_cert_domain_name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint forprovider"template"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/cloudwatch.tf line 401:401: data "template_file""dashboard" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint forprovider"local"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/ec2.tf line 40:40: data "local_file""cloudwatch_agent" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/event_triggers.tf line 22:22: input =jsonencode({ "appname":"${local.database_ec2_name}" })
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint forprovider"time"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/lambda.tf line 119:119: resource "time_sleep""wait_for_provision_files" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint forprovider"archive"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/lambda.tf line 173:173: data "archive_file""connect_db" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
tflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/apex
*****************************
Running Trivy in terraform/environments/apex
2024-09-12T13:58:14Z INFO [db] Need to update DB
2024-09-12T13:58:14Z INFO [db] Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-09-12T13:58:16Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T13:58:16Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T13:58:16Z INFO Need to update the built-in policies
2024-09-12T13:58:16Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-09-12T13:58:16Z INFO [secret] Secret scanning is enabled
2024-09-12T13:58:16Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T13:58:16Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection2024-09-12T13:58:17Z INFO [terraformscanner] Scanning root module file_path="."2024-09-12T13:58:17Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_set_descriptors"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_set_descriptors"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_core_network_services"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_core_vpc"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_self"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.core_network_services"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.core_vpc"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.self"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.expiration"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.transition"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.principals"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.condition"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.expiration"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.transition"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.principals"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.condition"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.apex-ecs.dynamic.tag"value="cty.NilVal"2024-09-12T13:58:17Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.apex-ecs.dynamic.tag"value="cty.NilVal"2024-09-12T13:58:17Z INFO [terraformscanner] Scanning root module file_path="modules/lambdapolicy"2024-09-12T13:58:17Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="tags"2024-09-12T13:58:17Z INFO [terraformscanner] Scanning root module file_path="modules/s3"2024-09-12T13:58:17Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="tags"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-elb-alb-not-public"range="modules/alb/main.tf:242"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:84"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:217-230"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:217-230"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:231"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:462"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:84"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:462"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-s3-enable-bucket-encryption"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-s3-enable-versioning"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:52"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T13:58:18Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:52"2024-09-12T13:58:18Z INFO Number of language-specific files num=02024-09-12T13:58:18Z INFO Detected config files num=14
cloudfront.tf (terraform)
=========================
Tests:15 (SUCCESSES:13, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version="TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version="TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.
See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource"aws_cloudfront_distribution""external" {
...243 [ minimum_protocol_version = "TLSv1.2_2018"...266 }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm ="AES256"135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required138 └ lifecycle {
...
────────────────────────────────────────
ec2.tf (terraform)
==================
Tests:16 (SUCCESSES:11, FAILURES:2, EXCEPTIONS:3)
Failures:2 (HIGH:1, CRITICAL:1)
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-38
────────────────────────────────────────
6 ┌ resource "aws_instance""apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address =false9 │ availability_zone ="eu-west-2a"10 │ ebs_optimized =true11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring =true14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2.tf:105
via ec2.tf:103-107 (aws_vpc_security_group_egress_rule.db_outbound)
────────────────────────────────────────
103 resource "aws_vpc_security_group_egress_rule""db_outbound" {
104 security_group_id = aws_security_group.database.id
105 [ cidr_ipv4 ="0.0.0.0/0"106 ip_protocol ="-1"107 }
────────────────────────────────────────
lambda.tf (terraform)
=====================
Tests:54 (SUCCESSES:7, FAILURES:3, EXCEPTIONS:44)
Failures:3 (HIGH:2, CRITICAL:1)
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket""backup_lambda" {
102 │ bucket ="${local.application_name}-${local.environment}-backup-lambda"103 │ tags =merge(
104 │ local.tags,
105 │ { Name ="${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group""backup_lambda" {
...194 [ cidr_blocks = ["0.0.0.0/0"]
...201 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket""backup_lambda" {
102 │ bucket ="${local.application_name}-${local.environment}-backup-lambda"103 │ tags =merge(
104 │ local.tags,
105 │ { Name ="${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────
modules/alb/main.tf (terraform)
===============================
Tests:8 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:1)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group""lb" {
...289 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
...293 }
────────────────────────────────────────
modules/ecs/main.tf (terraform)
===============================
Tests:33 (SUCCESSES:2, FAILURES:2, EXCEPTIONS:29)
Failures:2 (HIGH:1, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group""cluster_ec2" {
..
85 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template""ec2-launch-template" {
...121 [ http_tokens ="optional"...164 }
────────────────────────────────────────
modules/s3/main.tf (terraform)
==============================
Tests:7 (SUCCESSES:5, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket""laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket""laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────
sns.tf (terraform)
==================
Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.
See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
sns.tf:6-14
────────────────────────────────────────
6 ┌ resource "aws_sns_topic""apex" {
7 │ name ="${local.application_name}-${local.environment}-alerting-topic"8 │ tags =merge(
9 │ local.tags,
10 │ {
11 │ Name ="${local.application_name}-${local.environment}-alerting-topic"12 │ }
13 │ )
14 └ }
────────────────────────────────────────
trivy_exitcode=1
HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.
See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource "aws_cloudfront_distribution" "external" {
...
243 [ minimum_protocol_version = "TLSv1.2_2018"
...
266 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm = "AES256"
135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
138 └ lifecycle {
...
────────────────────────────────────────
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group" "backup_lambda" {
...
194 [ cidr_blocks = ["0.0.0.0/0"]
...
201 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group" "lb" {
...
289 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
293 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group" "cluster_ec2" {
..
85 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/apex
*****************************
Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-12 14:12:51,602 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-09-12 14:12:51,602 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 358, Failed checks: 94, Skipped checks: 5, Parsing errors: 1
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
FAILED for resource: aws_backup_vault.apex
File: /backups.tf:10-16
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk
10 | resource "aws_backup_vault" "apex" {
11 | name = "${local.application_name}-backup-vault"
12 | tags = merge(
13 | local.tags,
14 | { "Name" = "${local.application_name}-backup-vault" },
15 | )
16 | }
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
File: /cloudfront.tf:156-174
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300
156 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
157 | count = local.environment == "production" ? 1 : 0
158 | bucket = aws_s3_bucket.cloudfront.id
159 |
160 | rule {
161 | id = "delete-after-90days"
162 |
163 | expiration {
164 | days = 90
165 | }
166 |
167 | noncurrent_version_expiration {
168 | newer_noncurrent_versions = 1
169 | noncurrent_days = 90
170 | }
171 |
172 | status = "Enabled"
173 | }
174 | }
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.cloudfront
File: /cloudfront.tf:294-304
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy
294 | resource "aws_acm_certificate" "cloudfront" {
295 | domain_name = local.environment == "production" ? data.aws_route53_zone.production_network_services.name : local.application_data.accounts[local.environment].acm_cert_domain_name
296 | validation_method = "DNS"
297 | provider = aws.us-east-1
298 | subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
299 | tags = local.tags
300 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
301 | lifecycle {
302 | prevent_destroy = false
303 | }
304 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.apex_db_instance
File: /ec2.tf:6-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
6 | resource "aws_instance" "apex_db_instance" {
7 | ami = local.application_data.accounts[local.environment].ec2amiid
8 | associate_public_ip_address = false
9 | availability_zone = "eu-west-2a"
10 | ebs_optimized = true
11 | instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 | vpc_security_group_ids = [aws_security_group.database.id]
13 | monitoring = true
14 | subnet_id = data.aws_subnet.data_subnets_a.id
15 | iam_instance_profile = aws_iam_instance_profile.ec2_instance_profile.id
16 | key_name = aws_key_pair.apex.key_name
17 | user_data_base64 = base64encode(local.database-instance-userdata)
18 | user_data_replace_on_change = local.application_data.accounts[local.environment].user_data_replace_on_change
19 |
20 |
21 | root_block_device {
22 | delete_on_termination = false
23 | encrypted = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
24 | volume_size = 60
25 | volume_type = "gp2"
26 | tags = merge(
27 | local.tags,
28 | { "Name" = "${local.application_name}db-ec2-root" },
29 | )
30 | }
31 |
32 | tags = merge(
33 | local.tags,
34 | { "Name" = local.database_ec2_name },
35 | { "instance-scheduling" = "skip-scheduling" },
36 | { "snapshot-with-daily-7-day-retention" = "yes" }
37 | )
38 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
File: /ec2.tf:75-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
75 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
76 | security_group_id = aws_security_group.database.id
77 | description = "Allow Lambda SSH access for backup snapshots"
78 | referenced_security_group_id = aws_security_group.backup_lambda.id
79 | from_port = 22
80 | ip_protocol = "tcp"
81 | to_port = 22
82 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
File: /ec2.tf:103-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
103 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
104 | security_group_id = aws_security_group.database.id
105 | cidr_ipv4 = "0.0.0.0/0"
106 | ip_protocol = "-1"
107 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.ec2_instance_policy
File: /ec2.tf:134-165
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
135 | name = "${local.application_name}-ec2-policy"
136 | role = aws_iam_role.ec2_instance_role.id
137 | policy = jsonencode({
138 | Version = "2012-10-17"
139 | Statement = [
140 | {
141 | Effect = "Allow",
142 | Action = [
143 | "logs:CreateLogGroup",
144 | "logs:CreateLogStream",
145 | "logs:DescribeLogStreams",
146 | "logs:PutRetentionPolicy",
147 | "logs:PutLogEvents",
148 | "logs:DescribeLogGroups",
149 | "cloudwatch:PutMetricData",
150 | "cloudwatch:GetMetricStatistics",
151 | "cloudwatch:ListMetrics",
152 | "ec2:DescribeInstances",
153 | ],
154 | Resource = "*"
155 | },
156 | {
157 | Effect = "Allow",
158 | Action = [
159 | "ec2:CreateTags"
160 | ],
161 | Resource = "*"
162 | }
163 | ]
164 | })
165 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.ec2_instance_policy
File: /ec2.tf:134-165
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
135 | name = "${local.application_name}-ec2-policy"
136 | role = aws_iam_role.ec2_instance_role.id
137 | policy = jsonencode({
138 | Version = "2012-10-17"
139 | Statement = [
140 | {
141 | Effect = "Allow",
142 | Action = [
143 | "logs:CreateLogGroup",
144 | "logs:CreateLogStream",
145 | "logs:DescribeLogStreams",
146 | "logs:PutRetentionPolicy",
147 | "logs:PutLogEvents",
148 | "logs:DescribeLogGroups",
149 | "cloudwatch:PutMetricData",
150 | "cloudwatch:GetMetricStatistics",
151 | "cloudwatch:ListMetrics",
152 | "ec2:DescribeInstances",
153 | ],
154 | Resource = "*"
155 | },
156 | {
157 | Effect = "Allow",
158 | Action = [
159 | "ec2:CreateTags"
160 | ],
161 | Resource = "*"
162 | }
163 | ]
164 | })
165 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.database
File: /ec2.tf:263-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
263 | resource "aws_cloudwatch_log_group" "database" {
264 | name = "${upper(local.application_name)}-EC2-database-alert"
265 | retention_in_days = 0
266 | # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
267 | tags = merge(
268 | local.tags,
269 | {
270 | Name = "${upper(local.application_name)}-EC2-database-alert"
271 | }
272 | )
273 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.pmon_status
File: /ec2.tf:288-298
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
288 | resource "aws_cloudwatch_log_group" "pmon_status" {
289 | name = "${upper(local.application_name)}-EC2-database-pmon-status"
290 | retention_in_days = 0
291 | # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
292 | tags = merge(
293 | local.tags,
294 | {
295 | Name = "${upper(local.application_name)}-EC2-database-pmon-status"
296 | }
297 | )
298 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.efs
File: /efs.tf:1-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
1 | resource "aws_kms_key" "efs" {
2 | description = "KMS key for encrypting EFS"
3 | # enable_key_rotation = true
4 | tags = local.tags
5 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.ssh_key
File: /lambda.tf:7-22
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337
7 | resource "aws_ssm_parameter" "ssh_key" {
8 | name = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
9 | description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
10 | type = "SecureString"
11 | value = "Placeholder"
12 |
13 | tags = merge(
14 | local.tags,
15 | { Name = "EC2_SSH_KEY" }
16 | )
17 | lifecycle {
18 | ignore_changes = [
19 | value,
20 | ]
21 | }
22 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
File: /modules/alb/main.tf:303-306
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
303 | resource "aws_secretsmanager_secret" "cloudfront" {
304 | name = "cloudfront-v1-secret-${var.application_name}"
305 | description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
306 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: module.alb.aws_acm_certificate.external_lb
File: /modules/alb/main.tf:658-668
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy
658 | resource "aws_acm_certificate" "external_lb" {
659 |
660 | domain_name = var.acm_cert_domain_name
661 | validation_method = "DNS"
662 | subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
663 | tags = var.tags
664 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
665 | lifecycle {
666 | prevent_destroy = false
667 | }
668 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.alb.s3-bucket[0]
File: /modules/alb/main.tf:124-179
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
File: /modules/codebuild/main.tf:25-39
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300
25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
26 | bucket = aws_s3_bucket.deployment_report.id
27 |
28 | rule {
29 | id = "monthly-expiration"
30 | expiration {
31 | days = var.s3_lifecycle_expiration_days
32 | }
33 | noncurrent_version_expiration {
34 | noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
35 | }
36 |
37 | status = "Enabled"
38 | }
39 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
File: /modules/codebuild/main.tf:163-229
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
File: /modules/codebuild/main.tf:163-229
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
File: /modules/codebuild/main.tf:231-280
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
File: /modules/ecs/main.tf:107-164
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
File: /modules/ecs/main.tf:107-164
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
File: /modules/ecs/main.tf:266-287
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions
266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
267 | family = "${var.app_name}-task-definition"
268 | count = var.container_instance_type == "windows" ? 1 : 0
269 | execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
270 | task_role_arn = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
271 | requires_compatibilities = [
272 | "EC2",
273 | ]
274 |
275 | # volume {
276 | # name = var.task_definition_volume
277 | # }
278 |
279 | container_definitions = var.task_definition
280 |
281 | tags = merge(
282 | var.tags_common,
283 | {
284 | Name = "${var.app_name}-windows-task-definition"
285 | }
286 | )
287 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
File: /modules/ecs/main.tf:439-467
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
440 | name = "${var.app_name}-ecs-service-policy"
441 | tags = merge(
442 | var.tags_common,
443 | {
444 | Name = "${var.app_name}-ecs-service-policy"
445 | }
446 | )
447 | policy = <<EOF
448 | {
449 | "Version": "2012-10-17",
450 | "Statement": [
451 | {
452 | "Effect": "Allow",
453 | "Action": [
454 | "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
455 | "elasticloadbalancing:DeregisterTargets",
456 | "elasticloadbalancing:Describe*",
457 | "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
458 | "elasticloadbalancing:RegisterTargets",
459 | "ec2:Describe*",
460 | "ec2:AuthorizeSecurityGroupIngress"
461 | ],
462 | "Resource": ["*"]
463 | }
464 | ]
465 | }
466 | EOF
467 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
File: /modules/ecs/main.tf:439-467
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
440 | name = "${var.app_name}-ecs-service-policy"
441 | tags = merge(
442 | var.tags_common,
443 | {
444 | Name = "${var.app_name}-ecs-service-policy"
445 | }
446 | )
447 | policy = <<EOF
448 | {
449 | "Version": "2012-10-17",
450 | "Statement": [
451 | {
452 | "Effect": "Allow",
453 | "Action": [
454 | "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
455 | "elasticloadbalancing:DeregisterTargets",
456 | "elasticloadbalancing:Describe*",
457 | "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
458 | "elasticloadbalancing:RegisterTargets",
459 | "ec2:Describe*",
460 | "ec2:AuthorizeSecurityGroupIngress"
461 | ],
462 | "Resource": ["*"]
463 | }
464 | ]
465 | }
466 | EOF
467 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
File: /modules/ecs/main.tf:488-499
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
489 | #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
490 | name = "${var.app_name}-ecs-container-logs"
491 | retention_in_days = 90
492 | kms_key_id = var.log_group_kms_key
493 | tags = merge(
494 | var.tags_common,
495 | {
496 | Name = "${var.app_name}-ecs-container-logs"
497 | }
498 | )
499 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
File: /modules/ecs/main.tf:506-516
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
506 | resource "aws_cloudwatch_log_group" "ec2" {
507 | name = "${var.app_name}-ecs-ec2-logs"
508 | retention_in_days = 90
509 | kms_key_id = var.log_group_kms_key
510 | tags = merge(
511 | var.tags_common,
512 | {
513 | Name = "${var.app_name}-ecs-ec2-logs"
514 | }
515 | )
516 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.apex
File: /sns.tf:6-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
6 | resource "aws_sns_topic" "apex" {
7 | name = "${local.application_name}-${local.environment}-alerting-topic"
8 | tags = merge(
9 | local.tags,
10 | {
11 | Name = "${local.application_name}-${local.environment}-alerting-topic"
12 | }
13 | )
14 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: pagerduty_core_alerts
File: /sns.tf:34-41
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
34 | module "pagerduty_core_alerts" {
35 | depends_on = [
36 | aws_sns_topic.apex
37 | ]
38 | source = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
39 | sns_topics = [aws_sns_topic.apex.name]
40 | pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
FAILED for resource: aws_waf_web_acl.waf_acl
File: /waf.tf:57-87
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31
57 | resource "aws_waf_web_acl" "waf_acl" {
58 | depends_on = [
59 | aws_waf_rule.wafmanualallowrule,
60 | aws_waf_rule.wafmanualblockrule,
61 | ]
62 | name = "${upper(local.application_name)} Whitelisting Requesters"
63 | metric_name = "${upper(local.application_name)}WhitelistingRequesters"
64 | # scope = "CLOUDFRONT"
65 | # provider = aws.us-east-1
66 | default_action {
67 | type = "BLOCK"
68 | }
69 |
70 | rules {
71 | action {
72 | type = "ALLOW"
73 | }
74 | priority = 1
75 | rule_id = aws_waf_rule.wafmanualallowrule.id
76 | type = "REGULAR"
77 | }
78 |
79 | rules {
80 | action {
81 | type = "BLOCK"
82 | }
83 | priority = 2
84 | rule_id = aws_waf_rule.wafmanualblockrule.id
85 | type = "REGULAR"
86 | }
87 | }
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
File: /lambda.tf:124-129
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112
124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
125 | bucket = aws_s3_bucket.backup_lambda.id
126 | rule {
127 | object_ownership = "ObjectWriter"
128 | }
129 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
File: /modules/alb/main.tf:303-306
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
303 | resource "aws_secretsmanager_secret" "cloudfront" {
304 | name = "cloudfront-v1-secret-${var.application_name}"
305 | description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
306 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/apex
*****************************
Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/alb.tf line 17:17:"${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/alb.tf line 19:19: zone_name ="${local.application_data.accounts[local.environment].acm_cert_domain_name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint forprovider"template"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/cloudwatch.tf line 401:401: data "template_file""dashboard" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint forprovider"local"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/ec2.tf line 40:40: data "local_file""cloudwatch_agent" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/event_triggers.tf line 22:22: input =jsonencode({ "appname":"${local.database_ec2_name}" })
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint forprovider"time"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/lambda.tf line 119:119: resource "time_sleep""wait_for_provision_files" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint forprovider"archive"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/lambda.tf line 173:173: data "archive_file""connect_db" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
tflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/apex
*****************************
Running Trivy in terraform/environments/apex
2024-09-12T14:12:43Z INFO [db] Need to update DB
2024-09-12T14:12:43Z INFO [db] Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-09-12T14:12:46Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T14:12:46Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T14:12:46Z INFO Need to update the built-in policies
2024-09-12T14:12:46Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-09-12T14:12:46Z INFO [secret] Secret scanning is enabled
2024-09-12T14:12:46Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T14:12:46Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection2024-09-12T14:12:46Z INFO [terraformscanner] Scanning root module file_path="."2024-09-12T14:12:46Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2024-09-12T14:12:46Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_set_descriptors"value="cty.NilVal"2024-09-12T14:12:46Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_set_descriptors"value="cty.NilVal"2024-09-12T14:12:47Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_core_network_services"value="cty.NilVal"2024-09-12T14:12:47Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_core_vpc"value="cty.NilVal"2024-09-12T14:12:47Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_self"value="cty.NilVal"2024-09-12T14:12:47Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.core_network_services"value="cty.NilVal"2024-09-12T14:12:47Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.core_vpc"value="cty.NilVal"2024-09-12T14:12:47Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.self"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.expiration"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.transition"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.principals"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.condition"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.expiration"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.transition"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.principals"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.condition"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.apex-ecs.dynamic.tag"value="cty.NilVal"2024-09-12T14:12:48Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.apex-ecs.dynamic.tag"value="cty.NilVal"2024-09-12T14:12:48Z INFO [terraformscanner] Scanning root module file_path="modules/lambdapolicy"2024-09-12T14:12:48Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="tags"2024-09-12T14:12:48Z INFO [terraformscanner] Scanning root module file_path="modules/s3"2024-09-12T14:12:48Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="tags"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-elb-alb-not-public"range="modules/alb/main.tf:242"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:84"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:217-230"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:217-230"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:231"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:462"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:84"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:462"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-s3-enable-bucket-encryption"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-s3-enable-versioning"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:52"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:12:48Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:52"2024-09-12T14:12:48Z INFO Number of language-specific files num=02024-09-12T14:12:48Z INFO Detected config files num=14
cloudfront.tf (terraform)
=========================
Tests:15 (SUCCESSES:13, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version="TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version="TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.
See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource"aws_cloudfront_distribution""external" {
...243 [ minimum_protocol_version = "TLSv1.2_2018"...266 }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm ="AES256"135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required138 └ lifecycle {
...
────────────────────────────────────────
ec2.tf (terraform)
==================
Tests:16 (SUCCESSES:11, FAILURES:2, EXCEPTIONS:3)
Failures:2 (HIGH:1, CRITICAL:1)
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-38
────────────────────────────────────────
6 ┌ resource "aws_instance""apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address =false9 │ availability_zone ="eu-west-2a"10 │ ebs_optimized =true11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring =true14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2.tf:105
via ec2.tf:103-107 (aws_vpc_security_group_egress_rule.db_outbound)
────────────────────────────────────────
103 resource "aws_vpc_security_group_egress_rule""db_outbound" {
104 security_group_id = aws_security_group.database.id
105 [ cidr_ipv4 ="0.0.0.0/0"106 ip_protocol ="-1"107 }
────────────────────────────────────────
lambda.tf (terraform)
=====================
Tests:54 (SUCCESSES:7, FAILURES:3, EXCEPTIONS:44)
Failures:3 (HIGH:2, CRITICAL:1)
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket""backup_lambda" {
102 │ bucket ="${local.application_name}-${local.environment}-backup-lambda"103 │ tags =merge(
104 │ local.tags,
105 │ { Name ="${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group""backup_lambda" {
...194 [ cidr_blocks = ["0.0.0.0/0"]
...201 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket""backup_lambda" {
102 │ bucket ="${local.application_name}-${local.environment}-backup-lambda"103 │ tags =merge(
104 │ local.tags,
105 │ { Name ="${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────
modules/alb/main.tf (terraform)
===============================
Tests:8 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:1)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group""lb" {
...289 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
...293 }
────────────────────────────────────────
modules/ecs/main.tf (terraform)
===============================
Tests:33 (SUCCESSES:2, FAILURES:2, EXCEPTIONS:29)
Failures:2 (HIGH:1, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group""cluster_ec2" {
..
85 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template""ec2-launch-template" {
...121 [ http_tokens ="optional"...164 }
────────────────────────────────────────
modules/s3/main.tf (terraform)
==============================
Tests:7 (SUCCESSES:5, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket""laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket""laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────
sns.tf (terraform)
==================
Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.
See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
sns.tf:6-14
────────────────────────────────────────
6 ┌ resource "aws_sns_topic""apex" {
7 │ name ="${local.application_name}-${local.environment}-alerting-topic"8 │ tags =merge(
9 │ local.tags,
10 │ {
11 │ Name ="${local.application_name}-${local.environment}-alerting-topic"12 │ }
13 │ )
14 └ }
────────────────────────────────────────
trivy_exitcode=1
HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.
See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource "aws_cloudfront_distribution" "external" {
...
243 [ minimum_protocol_version = "TLSv1.2_2018"
...
266 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm = "AES256"
135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
138 └ lifecycle {
...
────────────────────────────────────────
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group" "backup_lambda" {
...
194 [ cidr_blocks = ["0.0.0.0/0"]
...
201 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group" "lb" {
...
289 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
293 }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group" "cluster_ec2" {
..
85 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/apex
*****************************
Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-12 14:24:23,567 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-09-12 14:24:23,567 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 358, Failed checks: 94, Skipped checks: 5, Parsing errors: 1
Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
FAILED for resource: aws_backup_vault.apex
File: /backups.tf:10-16
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk
10 | resource "aws_backup_vault" "apex" {
11 | name = "${local.application_name}-backup-vault"
12 | tags = merge(
13 | local.tags,
14 | { "Name" = "${local.application_name}-backup-vault" },
15 | )
16 | }
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
File: /cloudfront.tf:156-174
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300
156 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
157 | count = local.environment == "production" ? 1 : 0
158 | bucket = aws_s3_bucket.cloudfront.id
159 |
160 | rule {
161 | id = "delete-after-90days"
162 |
163 | expiration {
164 | days = 90
165 | }
166 |
167 | noncurrent_version_expiration {
168 | newer_noncurrent_versions = 1
169 | noncurrent_days = 90
170 | }
171 |
172 | status = "Enabled"
173 | }
174 | }
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.cloudfront
File: /cloudfront.tf:294-304
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy
294 | resource "aws_acm_certificate" "cloudfront" {
295 | domain_name = local.environment == "production" ? data.aws_route53_zone.production_network_services.name : local.application_data.accounts[local.environment].acm_cert_domain_name
296 | validation_method = "DNS"
297 | provider = aws.us-east-1
298 | subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
299 | tags = local.tags
300 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
301 | lifecycle {
302 | prevent_destroy = false
303 | }
304 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.apex_db_instance
File: /ec2.tf:6-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
6 | resource "aws_instance" "apex_db_instance" {
7 | ami = local.application_data.accounts[local.environment].ec2amiid
8 | associate_public_ip_address = false
9 | availability_zone = "eu-west-2a"
10 | ebs_optimized = true
11 | instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 | vpc_security_group_ids = [aws_security_group.database.id]
13 | monitoring = true
14 | subnet_id = data.aws_subnet.data_subnets_a.id
15 | iam_instance_profile = aws_iam_instance_profile.ec2_instance_profile.id
16 | key_name = aws_key_pair.apex.key_name
17 | user_data_base64 = base64encode(local.database-instance-userdata)
18 | user_data_replace_on_change = local.application_data.accounts[local.environment].user_data_replace_on_change
19 |
20 |
21 | root_block_device {
22 | delete_on_termination = false
23 | encrypted = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
24 | volume_size = 60
25 | volume_type = "gp2"
26 | tags = merge(
27 | local.tags,
28 | { "Name" = "${local.application_name}db-ec2-root" },
29 | )
30 | }
31 |
32 | tags = merge(
33 | local.tags,
34 | { "Name" = local.database_ec2_name },
35 | { "instance-scheduling" = "skip-scheduling" },
36 | { "snapshot-with-daily-7-day-retention" = "yes" }
37 | )
38 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
File: /ec2.tf:75-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
75 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
76 | security_group_id = aws_security_group.database.id
77 | description = "Allow Lambda SSH access for backup snapshots"
78 | referenced_security_group_id = aws_security_group.backup_lambda.id
79 | from_port = 22
80 | ip_protocol = "tcp"
81 | to_port = 22
82 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
File: /ec2.tf:103-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
103 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
104 | security_group_id = aws_security_group.database.id
105 | cidr_ipv4 = "0.0.0.0/0"
106 | ip_protocol = "-1"
107 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.ec2_instance_policy
File: /ec2.tf:134-165
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
135 | name = "${local.application_name}-ec2-policy"
136 | role = aws_iam_role.ec2_instance_role.id
137 | policy = jsonencode({
138 | Version = "2012-10-17"
139 | Statement = [
140 | {
141 | Effect = "Allow",
142 | Action = [
143 | "logs:CreateLogGroup",
144 | "logs:CreateLogStream",
145 | "logs:DescribeLogStreams",
146 | "logs:PutRetentionPolicy",
147 | "logs:PutLogEvents",
148 | "logs:DescribeLogGroups",
149 | "cloudwatch:PutMetricData",
150 | "cloudwatch:GetMetricStatistics",
151 | "cloudwatch:ListMetrics",
152 | "ec2:DescribeInstances",
153 | ],
154 | Resource = "*"
155 | },
156 | {
157 | Effect = "Allow",
158 | Action = [
159 | "ec2:CreateTags"
160 | ],
161 | Resource = "*"
162 | }
163 | ]
164 | })
165 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.ec2_instance_policy
File: /ec2.tf:134-165
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
135 | name = "${local.application_name}-ec2-policy"
136 | role = aws_iam_role.ec2_instance_role.id
137 | policy = jsonencode({
138 | Version = "2012-10-17"
139 | Statement = [
140 | {
141 | Effect = "Allow",
142 | Action = [
143 | "logs:CreateLogGroup",
144 | "logs:CreateLogStream",
145 | "logs:DescribeLogStreams",
146 | "logs:PutRetentionPolicy",
147 | "logs:PutLogEvents",
148 | "logs:DescribeLogGroups",
149 | "cloudwatch:PutMetricData",
150 | "cloudwatch:GetMetricStatistics",
151 | "cloudwatch:ListMetrics",
152 | "ec2:DescribeInstances",
153 | ],
154 | Resource = "*"
155 | },
156 | {
157 | Effect = "Allow",
158 | Action = [
159 | "ec2:CreateTags"
160 | ],
161 | Resource = "*"
162 | }
163 | ]
164 | })
165 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.database
File: /ec2.tf:263-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
263 | resource "aws_cloudwatch_log_group" "database" {
264 | name = "${upper(local.application_name)}-EC2-database-alert"
265 | retention_in_days = 0
266 | # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
267 | tags = merge(
268 | local.tags,
269 | {
270 | Name = "${upper(local.application_name)}-EC2-database-alert"
271 | }
272 | )
273 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.pmon_status
File: /ec2.tf:288-298
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
288 | resource "aws_cloudwatch_log_group" "pmon_status" {
289 | name = "${upper(local.application_name)}-EC2-database-pmon-status"
290 | retention_in_days = 0
291 | # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
292 | tags = merge(
293 | local.tags,
294 | {
295 | Name = "${upper(local.application_name)}-EC2-database-pmon-status"
296 | }
297 | )
298 | }
Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
FAILED for resource: aws_kms_key.efs
File: /efs.tf:1-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8
1 | resource "aws_kms_key" "efs" {
2 | description = "KMS key for encrypting EFS"
3 | # enable_key_rotation = true
4 | tags = local.tags
5 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.ssh_key
File: /lambda.tf:7-22
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337
7 | resource "aws_ssm_parameter" "ssh_key" {
8 | name = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
9 | description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
10 | type = "SecureString"
11 | value = "Placeholder"
12 |
13 | tags = merge(
14 | local.tags,
15 | { Name = "EC2_SSH_KEY" }
16 | )
17 | lifecycle {
18 | ignore_changes = [
19 | value,
20 | ]
21 | }
22 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.backup_lambda
File: /lambda.tf:50-90
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
51 | name = "${local.application_name}-${local.environment}-backup-lambda-policy"
52 | tags = merge(
53 | local.tags,
54 | { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
55 | )
56 | policy = <<EOF
57 | {
58 | "Version" : "2012-10-17",
59 | "Statement": [
60 | {
61 | "Action": [
62 | "lambda:InvokeFunction",
63 | "ec2:CreateNetworkInterface",
64 | "ec2:DescribeNetworkInterfaces",
65 | "ec2:DeleteNetworkInterface",
66 | "ec2:DescribeSecurityGroups",
67 | "ec2:CreateSnapshot",
68 | "ec2:DeleteSnapshot",
69 | "ec2:DescribeSubnets",
70 | "ec2:DescribeVpcs",
71 | "ec2:DescribeInstances",
72 | "ec2:DescribeAddresses",
73 | "ec2:DescribeInstanceStatus",
74 | "ec2:DescribeVolumes",
75 | "ec2:DescribeSnapshots",
76 | "ec2:CreateTags",
77 | "s3:*",
78 | "ssm:*",
79 | "ses:*",
80 | "logs:*",
81 | "cloudwatch:*",
82 | "sts:AssumeRole"
83 | ],
84 | "Resource": "*",
85 | "Effect": "Allow"
86 | }
87 | ]
88 | }
89 | EOF
90 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.create_db_snapshots
File: /lambda.tf:215-243
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
215 | resource "aws_lambda_function" "create_db_snapshots" {
216 |
217 | description = "Snapshot volumes for Oracle EC2"
218 | function_name = "snapshotDBFunction"
219 | role = aws_iam_role.backup_lambda.arn
220 | handler = "snapshot/dbsnapshot.handler"
221 | source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
222 | runtime = "nodejs18.x"
223 | layers = [aws_lambda_layer_version.backup_lambda.arn]
224 | s3_bucket = aws_s3_bucket.backup_lambda.id
225 | s3_key = "${local.create_db_snapshots_script_prefix}.zip"
226 | memory_size = 128
227 | timeout = 900
228 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
229 |
230 | environment {
231 | variables = {
232 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
233 | }
234 | }
235 | vpc_config {
236 | security_group_ids = [aws_security_group.backup_lambda.id]
237 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
238 | }
239 | tags = merge(
240 | local.tags,
241 | { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
242 | )
243 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.delete_db_snapshots
File: /lambda.tf:245-267
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
245 | resource "aws_lambda_function" "delete_db_snapshots" {
246 |
247 | description = "Clean up script to delete old unused snapshots"
248 | function_name = "deletesnapshotFunction"
249 | role = aws_iam_role.backup_lambda.arn
250 | handler = "deletesnapshots.lambda_handler"
251 | source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
252 | runtime = "python3.8"
253 | s3_bucket = aws_s3_bucket.backup_lambda.id
254 | s3_key = "${local.delete_db_snapshots_script_prefix}.zip"
255 | memory_size = 3000
256 | timeout = 900
257 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
258 |
259 | vpc_config {
260 | security_group_ids = [aws_security_group.backup_lambda.id]
261 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
262 | }
263 | tags = merge(
264 | local.tags,
265 | { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
266 | )
267 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.connect_db
File: /lambda.tf:269-300
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
269 | resource "aws_lambda_function" "connect_db" {
270 |
271 | description = "SSH to the DB EC2"
272 | function_name = "connectDBFunction"
273 | role = aws_iam_role.backup_lambda.arn
274 | handler = "ssh/dbconnect.handler"
275 | source_code_hash = data.archive_file.connect_db.output_base64sha256
276 | runtime = "nodejs18.x"
277 | layers = [aws_lambda_layer_version.backup_lambda.arn]
278 | s3_bucket = aws_s3_bucket.backup_lambda.id
279 | s3_key = "${local.db_connect_script_prefix}.zip"
280 | memory_size = 128
281 | timeout = 900
282 | depends_on = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
283 |
284 |
285 |
286 | environment {
287 | variables = {
288 | LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
289 |
290 | }
291 | }
292 | vpc_config {
293 | security_group_ids = [aws_security_group.backup_lambda.id]
294 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
295 | }
296 | tags = merge(
297 | local.tags,
298 | { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
299 | )
300 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
File: /modules/alb/main.tf:303-306
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
303 | resource "aws_secretsmanager_secret" "cloudfront" {
304 | name = "cloudfront-v1-secret-${var.application_name}"
305 | description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
306 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: module.alb.aws_acm_certificate.external_lb
File: /modules/alb/main.tf:658-668
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy
658 | resource "aws_acm_certificate" "external_lb" {
659 |
660 | domain_name = var.acm_cert_domain_name
661 | validation_method = "DNS"
662 | subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
663 | tags = var.tags
664 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
665 | lifecycle {
666 | prevent_destroy = false
667 | }
668 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.alb.s3-bucket[0]
File: /modules/alb/main.tf:124-179
Calling File: /alb.tf:27-163
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
File: /modules/codebuild/main.tf:25-39
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300
25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
26 | bucket = aws_s3_bucket.deployment_report.id
27 |
28 | rule {
29 | id = "monthly-expiration"
30 | expiration {
31 | days = var.s3_lifecycle_expiration_days
32 | }
33 | noncurrent_version_expiration {
34 | noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
35 | }
36 |
37 | status = "Enabled"
38 | }
39 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
File: /modules/codebuild/main.tf:52-66
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted
52 | resource "aws_ecr_repository" "local-ecr" {
53 | name = "${var.app_name}-local-ecr"
54 | image_tag_mutability = "MUTABLE"
55 |
56 | image_scanning_configuration {
57 | scan_on_push = false
58 | }
59 |
60 | tags = merge(
61 | var.tags,
62 | {
63 | Name = "${var.app_name}-local-ecr"
64 | },
65 | )
66 | }
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
File: /modules/codebuild/main.tf:163-229
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
File: /modules/codebuild/main.tf:163-229
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
File: /modules/codebuild/main.tf:231-280
Calling File: /codebuild.tf:1-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
File: /modules/ecs/main.tf:107-164
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
File: /modules/ecs/main.tf:107-164
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
File: /modules/ecs/main.tf:204-237
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
205 | name = "${var.app_name}-ec2-instance-policy"
206 | tags = merge(
207 | var.tags_common,
208 | {
209 | Name = "${var.app_name}-ec2-instance-policy"
210 | }
211 | )
212 | policy = <<EOF
213 | {
214 | "Version": "2012-10-17",
215 | "Statement": [
216 | {
217 | "Action": [
218 | "ecs:CreateCluster",
219 | "ecs:DeregisterContainerInstance",
220 | "ecs:DiscoverPollEndpoint",
221 | "ecs:Poll",
222 | "ecs:RegisterContainerInstance",
223 | "ecs:StartTelemetrySession",
224 | "ecs:Submit*",
225 | "logs:CreateLogGroup",
226 | "logs:CreateLogStream",
227 | "logs:PutLogEvents",
228 | "logs:DescribeLogStreams",
229 | "ecr:*"
230 | ],
231 | "Resource": "*",
232 | "Effect": "Allow"
233 | }
234 | ]
235 | }
236 | EOF
237 | }
Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
File: /modules/ecs/main.tf:266-287
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions
266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
267 | family = "${var.app_name}-task-definition"
268 | count = var.container_instance_type == "windows" ? 1 : 0
269 | execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
270 | task_role_arn = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
271 | requires_compatibilities = [
272 | "EC2",
273 | ]
274 |
275 | # volume {
276 | # name = var.task_definition_volume
277 | # }
278 |
279 | container_definitions = var.task_definition
280 |
281 | tags = merge(
282 | var.tags_common,
283 | {
284 | Name = "${var.app_name}-windows-task-definition"
285 | }
286 | )
287 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
File: /modules/ecs/main.tf:439-467
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
440 | name = "${var.app_name}-ecs-service-policy"
441 | tags = merge(
442 | var.tags_common,
443 | {
444 | Name = "${var.app_name}-ecs-service-policy"
445 | }
446 | )
447 | policy = <<EOF
448 | {
449 | "Version": "2012-10-17",
450 | "Statement": [
451 | {
452 | "Effect": "Allow",
453 | "Action": [
454 | "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
455 | "elasticloadbalancing:DeregisterTargets",
456 | "elasticloadbalancing:Describe*",
457 | "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
458 | "elasticloadbalancing:RegisterTargets",
459 | "ec2:Describe*",
460 | "ec2:AuthorizeSecurityGroupIngress"
461 | ],
462 | "Resource": ["*"]
463 | }
464 | ]
465 | }
466 | EOF
467 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
File: /modules/ecs/main.tf:439-467
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
440 | name = "${var.app_name}-ecs-service-policy"
441 | tags = merge(
442 | var.tags_common,
443 | {
444 | Name = "${var.app_name}-ecs-service-policy"
445 | }
446 | )
447 | policy = <<EOF
448 | {
449 | "Version": "2012-10-17",
450 | "Statement": [
451 | {
452 | "Effect": "Allow",
453 | "Action": [
454 | "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
455 | "elasticloadbalancing:DeregisterTargets",
456 | "elasticloadbalancing:Describe*",
457 | "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
458 | "elasticloadbalancing:RegisterTargets",
459 | "ec2:Describe*",
460 | "ec2:AuthorizeSecurityGroupIngress"
461 | ],
462 | "Resource": ["*"]
463 | }
464 | ]
465 | }
466 | EOF
467 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
File: /modules/ecs/main.tf:488-499
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
489 | #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
490 | name = "${var.app_name}-ecs-container-logs"
491 | retention_in_days = 90
492 | kms_key_id = var.log_group_kms_key
493 | tags = merge(
494 | var.tags_common,
495 | {
496 | Name = "${var.app_name}-ecs-container-logs"
497 | }
498 | )
499 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
File: /modules/ecs/main.tf:506-516
Calling File: /ecs.tf:5-38
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
506 | resource "aws_cloudwatch_log_group" "ec2" {
507 | name = "${var.app_name}-ecs-ec2-logs"
508 | retention_in_days = 90
509 | kms_key_id = var.log_group_kms_key
510 | tags = merge(
511 | var.tags_common,
512 | {
513 | Name = "${var.app_name}-ecs-ec2-logs"
514 | }
515 | )
516 | }
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
FAILED for resource: aws_iam_policy.backuplambdapolicy
File: /modules/lambdapolicy/main.tf:21-58
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289
21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
22 | name = var.backup_policy_name
23 | tags = var.tags
24 | policy = <<EOF
25 | {
26 | "Version" : "2012-10-17",
27 | "Statement": [
28 | {
29 | "Action": [
30 | "lambda:InvokeFunction",
31 | "ec2:CreateNetworkInterface",
32 | "ec2:DescribeNetworkInterfaces",
33 | "ec2:DeleteNetworkInterface",
34 | "ec2:DescribeSecurityGroups",
35 | "ec2:CreateSnapshot",
36 | "ec2:DeleteSnapshot",
37 | "ec2:DescribeSubnets",
38 | "ec2:DescribeVpcs",
39 | "ec2:DescribeInstances",
40 | "ec2:DescribeAddresses",
41 | "ec2:DescribeInstanceStatus",
42 | "ec2:DescribeVolumes",
43 | "ec2:DescribeSnapshots",
44 | "ec2:CreateTags",
45 | "s3:*",
46 | "ssm:*",
47 | "ses:*",
48 | "logs:*",
49 | "cloudwatch:*",
50 | "sts:AssumeRole"
51 | ],
52 | "Resource": "*",
53 | "Effect": "Allow"
54 | }
55 | ]
56 | }
57 | EOF
58 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.apex
File: /sns.tf:6-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
6 | resource "aws_sns_topic" "apex" {
7 | name = "${local.application_name}-${local.environment}-alerting-topic"
8 | tags = merge(
9 | local.tags,
10 | {
11 | Name = "${local.application_name}-${local.environment}-alerting-topic"
12 | }
13 | )
14 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: pagerduty_core_alerts
File: /sns.tf:34-41
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
34 | module "pagerduty_core_alerts" {
35 | depends_on = [
36 | aws_sns_topic.apex
37 | ]
38 | source = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
39 | sns_topics = [aws_sns_topic.apex.name]
40 | pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
FAILED for resource: aws_waf_web_acl.waf_acl
File: /waf.tf:57-87
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31
57 | resource "aws_waf_web_acl" "waf_acl" {
58 | depends_on = [
59 | aws_waf_rule.wafmanualallowrule,
60 | aws_waf_rule.wafmanualblockrule,
61 | ]
62 | name = "${upper(local.application_name)} Whitelisting Requesters"
63 | metric_name = "${upper(local.application_name)}WhitelistingRequesters"
64 | # scope = "CLOUDFRONT"
65 | # provider = aws.us-east-1
66 | default_action {
67 | type = "BLOCK"
68 | }
69 |
70 | rules {
71 | action {
72 | type = "ALLOW"
73 | }
74 | priority = 1
75 | rule_id = aws_waf_rule.wafmanualallowrule.id
76 | type = "REGULAR"
77 | }
78 |
79 | rules {
80 | action {
81 | type = "BLOCK"
82 | }
83 | priority = 2
84 | rule_id = aws_waf_rule.wafmanualblockrule.id
85 | type = "REGULAR"
86 | }
87 | }
Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
FAILED for resource: aws_cloudfront_distribution.external
File: /cloudfront.tf:176-266
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
File: /modules/alb/main.tf:303-306
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
303 | resource "aws_secretsmanager_secret" "cloudfront" {
304 | name = "cloudfront-v1-secret-${var.application_name}"
305 | description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
306 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.cloudfront
File: /cloudfront.tf:108-121
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
108 | resource "aws_s3_bucket" "cloudfront" {
109 | bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
110 | # force_destroy = true # Enable to recreate bucket deleting everything inside
111 | tags = merge(
112 | local.tags,
113 | {
114 | Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
115 | }
116 | )
117 | # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
118 | lifecycle {
119 | prevent_destroy = false
120 | }
121 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
File: /modules/codebuild/main.tf:5-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
5 | resource "aws_s3_bucket" "deployment_report" {
6 | bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
7 | # force_destroy = true # Enable to recreate bucket deleting everything inside
8 | tags = merge(
9 | var.tags,
10 | {
11 | Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
12 | },
13 | )
14 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
File: /lambda.tf:124-129
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112
124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
125 | bucket = aws_s3_bucket.backup_lambda.id
126 | rule {
127 | object_ownership = "ObjectWriter"
128 | }
129 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.backup_lambda
File: /lambda.tf:101-107
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
101 | resource "aws_s3_bucket" "backup_lambda" {
102 | bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 | tags = merge(
104 | local.tags,
105 | { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 | )
107 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
File: /modules/codebuild/main.tf:102-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
102 | resource "aws_s3_bucket" "codebuild_resources" {
103 | bucket = "laa-${var.app_name}-management-resourcebucket"
104 | # force_destroy = true
105 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.laa-lambda-backup
File: /modules/s3/main.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
1 | resource "aws_s3_bucket" "laa-lambda-backup" {
2 | bucket = var.bucket_name
3 | tags = var.tags
4 | }
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.5.0)
tflint will check the following folders:
terraform/environments/apex
*****************************
Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/alb.tf line 17:17:"${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/alb.tf line 19:19: zone_name ="${local.application_data.accounts[local.environment].acm_cert_domain_name}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint forprovider"template"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/cloudwatch.tf line 401:401: data "template_file""dashboard" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint forprovider"local"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/ec2.tf line 40:40: data "local_file""cloudwatch_agent" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/apex/event_triggers.tf line 22:22: input =jsonencode({ "appname":"${local.database_ec2_name}" })
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md
Warning: Missing version constraint forprovider"time"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/lambda.tf line 119:119: resource "time_sleep""wait_for_provision_files" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
Warning: Missing version constraint forprovider"archive"in `required_providers` (terraform_required_providers)
on terraform/environments/apex/lambda.tf line 173:173: data "archive_file""connect_db" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md
tflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/apex
*****************************
Running Trivy in terraform/environments/apex
2024-09-12T14:24:15Z INFO [db] Need to update DB
2024-09-12T14:24:15Z INFO [db] Downloading DB...repository="ghcr.io/aquasecurity/trivy-db:2"2024-09-12T14:24:17Z INFO [vuln] Vulnerability scanning is enabled
2024-09-12T14:24:17Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-12T14:24:17Z INFO Need to update the built-in policies
2024-09-12T14:24:17Z INFO Downloading the built-in policies...74.86 KiB /74.86 KiB [-----------------------------------------------------------] 100.00%? p/s 0s2024-09-12T14:24:18Z INFO [secret] Secret scanning is enabled
2024-09-12T14:24:18Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-12T14:24:18Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection2024-09-12T14:24:18Z INFO [terraformscanner] Scanning root module file_path="."2024-09-12T14:24:18Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2024-09-12T14:24:18Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_set_descriptors"value="cty.NilVal"2024-09-12T14:24:18Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_set_descriptors"value="cty.NilVal"2024-09-12T14:24:19Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_core_network_services"value="cty.NilVal"2024-09-12T14:24:19Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_core_vpc"value="cty.NilVal"2024-09-12T14:24:19Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.aws_route53_record.external_lb_validation_self"value="cty.NilVal"2024-09-12T14:24:19Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.core_network_services"value="cty.NilVal"2024-09-12T14:24:19Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.core_vpc"value="cty.NilVal"2024-09-12T14:24:19Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.data.aws_route53_zone.self"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.expiration"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.transition"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.principals"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.condition"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.expiration"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.transition"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.noncurrent_version_transition"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.principals"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.alb.module.s3-bucket[0].dynamic.condition"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.apex-ecs.dynamic.tag"value="cty.NilVal"2024-09-12T14:24:20Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.apex-ecs.dynamic.tag"value="cty.NilVal"2024-09-12T14:24:20Z INFO [terraformscanner] Scanning root module file_path="modules/lambdapolicy"2024-09-12T14:24:20Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="tags"2024-09-12T14:24:20Z INFO [terraformscanner] Scanning root module file_path="modules/s3"2024-09-12T14:24:20Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="tags"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-elb-alb-not-public"range="modules/alb/main.tf:242"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-s3-enable-bucket-encryption"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-s3-enable-versioning"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:18-29"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:84"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:217-230"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:212-236"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:217-230"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:231"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:462"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:61-83"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:56-89"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="lambda.tf:84"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:453-461"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:447-466"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/ecs/main.tf:462"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:52"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:29-51"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:24-57"2024-09-12T14:24:20Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-policy-wildcards"range="modules/lambdapolicy/main.tf:52"2024-09-12T14:24:20Z INFO Number of language-specific files num=02024-09-12T14:24:20Z INFO Detected config files num=14
cloudfront.tf (terraform)
=========================
Tests:15 (SUCCESSES:13, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version="TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version="TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.
See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:243
via cloudfront.tf:240-244 (viewer_certificate)
via cloudfront.tf:176-266 (aws_cloudfront_distribution.external)
────────────────────────────────────────
176 resource"aws_cloudfront_distribution""external" {
...243 [ minimum_protocol_version = "TLSv1.2_2018"...266 }
────────────────────────────────────────
HIGH:Bucketdoesnotencryptdatawithacustomermanagedkey.
════════════════════════════════════════
EncryptionusingAWSkeysprovidesprotectionforyourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.Seehttps://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:130-141
────────────────────────────────────────
130 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""cloudfront" {
131 │ bucket = aws_s3_bucket.cloudfront.id
132 │ rule {
133 │ apply_server_side_encryption_by_default {
134 │ sse_algorithm ="AES256"135 │ }
136 │ }
137 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required138 └ lifecycle {
...
────────────────────────────────────────
ec2.tf (terraform)
==================
Tests:16 (SUCCESSES:11, FAILURES:2, EXCEPTIONS:3)
Failures:2 (HIGH:1, CRITICAL:1)
HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-38
────────────────────────────────────────
6 ┌ resource "aws_instance""apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address =false9 │ availability_zone ="eu-west-2a"10 │ ebs_optimized =true11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring =true14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ec2.tf:105
via ec2.tf:103-107 (aws_vpc_security_group_egress_rule.db_outbound)
────────────────────────────────────────
103 resource "aws_vpc_security_group_egress_rule""db_outbound" {
104 security_group_id = aws_security_group.database.id
105 [ cidr_ipv4 ="0.0.0.0/0"106 ip_protocol ="-1"107 }
────────────────────────────────────────
lambda.tf (terraform)
=====================
Tests:54 (SUCCESSES:7, FAILURES:3, EXCEPTIONS:44)
Failures:3 (HIGH:2, CRITICAL:1)
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket""backup_lambda" {
102 │ bucket ="${local.application_name}-${local.environment}-backup-lambda"103 │ tags =merge(
104 │ local.tags,
105 │ { Name ="${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambda.tf:194
via lambda.tf:189-195 (egress)
via lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group""backup_lambda" {
...194 [ cidr_blocks = ["0.0.0.0/0"]
...201 }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket""backup_lambda" {
102 │ bucket ="${local.application_name}-${local.environment}-backup-lambda"103 │ tags =merge(
104 │ local.tags,
105 │ { Name ="${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────
modules/alb/main.tf (terraform)
===============================
Tests:8 (SUCCESSES:6, FAILURES:1, EXCEPTIONS:1)
Failures:1 (HIGH:0, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/alb/main.tf:289
via modules/alb/main.tf:284-291 (content)
via modules/alb/main.tf:282-292 (dynamic.egress["lb_egress"])
via modules/alb/main.tf:264-293 (aws_security_group.lb)
via alb.tf:27-163 (module.alb)
────────────────────────────────────────
264 resource "aws_security_group""lb" {
...289 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
...293 }
────────────────────────────────────────
modules/ecs/main.tf (terraform)
===============================
Tests:33 (SUCCESSES:2, FAILURES:2, EXCEPTIONS:29)
Failures:2 (HIGH:1, CRITICAL:1)
CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
modules/ecs/main.tf:85
via modules/ecs/main.tf:80-87 (content)
via modules/ecs/main.tf:78-88 (dynamic.egress["cluster_ec2_lb_egress"])
via modules/ecs/main.tf:61-96 (aws_security_group.cluster_ec2)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
61 resource "aws_security_group""cluster_ec2" {
..
85 [ cidr_blocks =lookup(egress.value, "cidr_blocks", null)
..
96 }
────────────────────────────────────────
HIGH: Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0130
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template""ec2-launch-template" {
...121 [ http_tokens ="optional"...164 }
────────────────────────────────────────
modules/s3/main.tf (terraform)
==============================
Tests:7 (SUCCESSES:5, FAILURES:2, EXCEPTIONS:0)
Failures:2 (HIGH:2, CRITICAL:0)
HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket""laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket""laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────
sns.tf (terraform)
==================
Tests:2 (SUCCESSES:1, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.
See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
sns.tf:6-14
────────────────────────────────────────
6 ┌ resource "aws_sns_topic""apex" {
7 │ name ="${local.application_name}-${local.environment}-alerting-topic"8 │ tags =merge(
9 │ local.tags,
10 │ {
11 │ Name ="${local.application_name}-${local.environment}-alerting-topic"12 │ }
13 │ )
14 └ }
────────────────────────────────────────
trivy_exitcode=1
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
github-actions
bot
added
the
environments-repository
vc13837
temporarily deployed
to
apex-development
GitHub Actions
Inactive
No description provided.