Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TM-508 Correct admin database password used #7873

Merged
merged 1 commit into from
Sep 19, 2024
Merged

TM-508 Correct admin database password used #7873

merged 1 commit into from
Sep 19, 2024

Conversation

vc13837
Copy link
Contributor

@vc13837 vc13837 commented Sep 19, 2024

No description provided.

@vc13837 vc13837 requested review from a team as code owners September 19, 2024 13:07
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 19, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex
terraform/environments/apex/modules/ecs

Running Trivy in terraform/environments/apex
2024-09-19T13:10:01Z INFO [db] Need to update DB
2024-09-19T13:10:01Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-19T13:10:01Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 210.702µs, allowed: 44000/minute

trivy_exitcode=1

Running Trivy in terraform/environments/apex/modules/ecs
2024-09-19T13:10:02Z INFO [db] Need to update DB
2024-09-19T13:10:02Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-19T13:10:02Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 346.839µs, allowed: 44000/minute

trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex
terraform/environments/apex/modules/ecs

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-19 13:10:04,776 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-09-19 13:10:04,776 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 358, Failed checks: 94, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:10-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		10 | resource "aws_backup_vault" "apex" {
		11 |   name = "${local.application_name}-backup-vault"
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${local.application_name}-backup-vault" },
		15 |   )
		16 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:156-174
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		156 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		157 |   count  = local.environment == "production" ? 1 : 0
		158 |   bucket = aws_s3_bucket.cloudfront.id
		159 | 
		160 |   rule {
		161 |     id = "delete-after-90days"
		162 | 
		163 |     expiration {
		164 |       days = 90
		165 |     }
		166 | 
		167 |     noncurrent_version_expiration {
		168 |       newer_noncurrent_versions = 1
		169 |       noncurrent_days           = 90
		170 |     }
		171 | 
		172 |     status = "Enabled"
		173 |   }
		174 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		294 | resource "aws_acm_certificate" "cloudfront" {
		295 |   domain_name               = local.environment == "production" ? data.aws_route53_zone.production_network_services.name : local.application_data.accounts[local.environment].acm_cert_domain_name
		296 |   validation_method         = "DNS"
		297 |   provider                  = aws.us-east-1
		298 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		299 |   tags                      = local.tags
		300 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		301 |   lifecycle {
		302 |     prevent_destroy = false
		303 |   }
		304 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |     )
		30 |   }
		31 | 
		32 |   tags = merge(
		33 |     local.tags,
		34 |     { "Name" = local.database_ec2_name },
		35 |     { "instance-scheduling" = "skip-scheduling" },
		36 |     { "snapshot-with-daily-7-day-retention" = "yes" }
		37 |   )
		38 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:75-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		75 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		76 |   security_group_id            = aws_security_group.database.id
		77 |   description                  = "Allow Lambda SSH access for backup snapshots"
		78 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		79 |   from_port                    = 22
		80 |   ip_protocol                  = "tcp"
		81 |   to_port                      = 22
		82 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:103-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		103 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		104 |   security_group_id = aws_security_group.database.id
		105 |   cidr_ipv4         = "0.0.0.0/0"
		106 |   ip_protocol       = "-1"
		107 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:134-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		135 |   name = "${local.application_name}-ec2-policy"
		136 |   role = aws_iam_role.ec2_instance_role.id
		137 |   policy = jsonencode({
		138 |     Version = "2012-10-17"
		139 |     Statement = [
		140 |       {
		141 |         Effect = "Allow",
		142 |         Action = [
		143 |           "logs:CreateLogGroup",
		144 |           "logs:CreateLogStream",
		145 |           "logs:DescribeLogStreams",
		146 |           "logs:PutRetentionPolicy",
		147 |           "logs:PutLogEvents",
		148 |           "logs:DescribeLogGroups",
		149 |           "cloudwatch:PutMetricData",
		150 |           "cloudwatch:GetMetricStatistics",
		151 |           "cloudwatch:ListMetrics",
		152 |           "ec2:DescribeInstances",
		153 |         ],
		154 |         Resource = "*"
		155 |       },
		156 |       {
		157 |         Effect = "Allow",
		158 |         Action = [
		159 |           "ec2:CreateTags"
		160 |         ],
		161 |         Resource = "*"
		162 |       }
		163 |     ]
		164 |   })
		165 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:134-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		134 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		135 |   name = "${local.application_name}-ec2-policy"
		136 |   role = aws_iam_role.ec2_instance_role.id
		137 |   policy = jsonencode({
		138 |     Version = "2012-10-17"
		139 |     Statement = [
		140 |       {
		141 |         Effect = "Allow",
		142 |         Action = [
		143 |           "logs:CreateLogGroup",
		144 |           "logs:CreateLogStream",
		145 |           "logs:DescribeLogStreams",
		146 |           "logs:PutRetentionPolicy",
		147 |           "logs:PutLogEvents",
		148 |           "logs:DescribeLogGroups",
		149 |           "cloudwatch:PutMetricData",
		150 |           "cloudwatch:GetMetricStatistics",
		151 |           "cloudwatch:ListMetrics",
		152 |           "ec2:DescribeInstances",
		153 |         ],
		154 |         Resource = "*"
		155 |       },
		156 |       {
		157 |         Effect = "Allow",
		158 |         Action = [
		159 |           "ec2:CreateTags"
		160 |         ],
		161 |         Resource = "*"
		162 |       }
		163 |     ]
		164 |   })
		165 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:263-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		263 | resource "aws_cloudwatch_log_group" "database" {
		264 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		265 |   retention_in_days = 0
		266 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		267 |   tags = merge(
		268 |     local.tags,
		269 |     {
		270 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:288-298
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		288 | resource "aws_cloudwatch_log_group" "pmon_status" {
		289 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		290 |   retention_in_days = 0
		291 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		292 |   tags = merge(
		293 |     local.tags,
		294 |     {
		295 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |     }
		297 |   )
		298 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:303-306
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		303 | resource "aws_secretsmanager_secret" "cloudfront" {
		304 |   name        = "cloudfront-v1-secret-${var.application_name}"
		305 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		306 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:658-668
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		658 | resource "aws_acm_certificate" "external_lb" {
		659 | 
		660 |   domain_name               = var.acm_cert_domain_name
		661 |   validation_method         = "DNS"
		662 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		663 |   tags                      = var.tags
		664 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		665 |   lifecycle {
		666 |     prevent_destroy = false
		667 |   }
		668 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:124-179
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:303-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		303 | resource "aws_secretsmanager_secret" "cloudfront" {
		304 |   name        = "cloudfront-v1-secret-${var.application_name}"
		305 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		306 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:108-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		108 | resource "aws_s3_bucket" "cloudfront" {
		109 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		110 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		111 |   tags = merge(
		112 |     local.tags,
		113 |     {
		114 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		115 |     }
		116 |   )
		117 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		118 |   lifecycle {
		119 |     prevent_destroy = false
		120 |   }
		121 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:176-266
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/apex/modules/ecs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 75, Failed checks: 9, Skipped checks: 2

Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: aws_launch_template.ec2-launch-template
	File: /main.tf:107-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_launch_template.ec2-launch-template
	File: /main.tf:107-164
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /main.tf:204-237
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /main.tf:204-237
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /main.tf:204-237
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ecs_service
	File: /main.tf:439-467
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ecs_service
	File: /main.tf:439-467
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /main.tf:488-499
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ec2
	File: /main.tf:506-516
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex
terraform/environments/apex/modules/ecs

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 40:
  40: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/apex/modules/ecs
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex
terraform/environments/apex/modules/ecs

*****************************

Running Trivy in terraform/environments/apex
2024-09-19T13:10:01Z	INFO	[db] Need to update DB
2024-09-19T13:10:01Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-19T13:10:01Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
	* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 210.702µs, allowed: 44000/minute


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/apex/modules/ecs
2024-09-19T13:10:02Z	INFO	[db] Need to update DB
2024-09-19T13:10:02Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-19T13:10:02Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
	* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 346.839µs, allowed: 44000/minute


trivy_exitcode=2

@vc13837 vc13837 merged commit 020925a into main Sep 19, 2024
10 of 16 checks passed
@vc13837 vc13837 deleted the TM-508 branch September 19, 2024 13:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnasr-moj mnasr-moj mnasr-moj approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vc13837 @mnasr-moj