You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Trivy will check the following folders:
terraform/environments/ccms-ebs
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T16:45:08Z INFO [vulndb] Need to update DB
2025-01-16T16:45:08Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T16:45:08Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T16:45:10Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T16:45:10Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T16:45:10Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T16:45:10Z INFO [misconfig] Need to update the built-in checks
2025-01-16T16:45:10Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T16:45:11Z INFO [secret] Secret scanning is enabled
2025-01-16T16:45:11Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T16:45:11Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T16:45:12Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T16:45:12Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T16:45:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2025-01-16T16:45:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2025-01-16T16:45:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2025-01-16T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:45:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:45:13Z INFO [terraform scanner] Scanning root module file_path="modules"
2025-01-16T16:45:13Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2025-01-16T16:45:16Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2025-01-16T16:45:16Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2025-01-16T16:45:17Z INFO Number of language-specific files num=0
2025-01-16T16:45:17Z INFO Detected config files num=29
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 16:45:20,548 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 967, Failed checks: 83, Skipped checks: 3
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
File: /ccms-cloudwatch.tf:54-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.groups
File: /ccms-cloudwatch.tf:15-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
15 | resource "aws_cloudwatch_log_group" "groups" {
16 | for_each = local.application_data.cw_log_groups
17 | name = each.key
18 | retention_in_days = each.value.retention_days
19 |
20 | tags = merge(
21 | local.tags,
22 | {
23 | Name = each.key
24 | },
25 | )
26 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ftp
File: /ccms-ec2-ftp.tf:1-67
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_mailrelay
File: /ccms-ec2-mailrelay.tf:2-57
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.ebsapps_lb
File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "ebsapps_lb" {
2 | name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 | subnets = data.aws_subnets.shared-public.ids
7 |
8 | enable_deletion_protection = true
9 |
10 | access_logs {
11 | bucket = module.s3-bucket-logging.bucket.id
12 | prefix = local.lb_log_prefix_ebsapp
13 | enabled = true
14 | }
15 |
16 | tags = merge(local.tags,
17 | { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
18 | )
19 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.ebsapp_tg
File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
39 | resource "aws_lb_target_group" "ebsapp_tg" {
40 | name = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
41 | port = local.application_data.accounts[local.environment].tg_apps_port
42 | protocol = "HTTP"
43 | vpc_id = data.aws_vpc.shared.id
44 | health_check {
45 | port = local.application_data.accounts[local.environment].tg_apps_port
46 | protocol = "HTTP"
47 | }
48 |
49 | stickiness {
50 | enabled = true
51 | type = "lb_cookie"
52 | cookie_duration = 3600
53 | }
54 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.ebsapps_nlb
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "ebsapps_nlb" {
17 | name = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.ebs_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.ebs_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.ebs_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_lb
File: /ccms-ec2-oracle_webgate-alb.tf:1-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "webgate_lb" {
2 | count = local.is-production ? 1 : 1
3 | name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 | internal = true
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.sg_webgate_lb.id]
7 | subnets = data.aws_subnets.shared-private.ids
8 |
9 | enable_deletion_protection = true
10 |
11 | access_logs {
12 | bucket = module.s3-bucket-logging.bucket.id
13 | prefix = local.lb_log_prefix_wgate
14 | enabled = true
15 | }
16 |
17 | tags = merge(local.tags,
18 | { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
19 | )
20 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg
File: /ccms-ec2-oracle_webgate-alb.tf:40-52
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
40 | resource "aws_lb_target_group" "webgate_tg" {
41 | count = local.is-production ? 1 : 1
42 | name = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
43 | port = 5401
44 | protocol = "HTTP"
45 | vpc_id = data.aws_vpc.shared.id
46 | health_check {
47 | port = 5401
48 | protocol = "HTTP"
49 | matcher = 302
50 | timeout = 10
51 | }
52 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_public_lb
File: /ccms-ec2-oracle_webgate-alb.tf:62-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
62 | resource "aws_lb" "webgate_public_lb" {
63 | name = lower(format("public-alb-webgate"))
64 | internal = false
65 | load_balancer_type = "application"
66 | security_groups = [aws_security_group.sg_webgate_lb.id]
67 | subnets = data.aws_subnets.shared-public.ids
68 |
69 | enable_deletion_protection = true
70 |
71 | access_logs {
72 | bucket = module.s3-bucket-logging.bucket.id
73 | prefix = local.lb_log_prefix_wgate_public
74 | enabled = true
75 | }
76 |
77 | tags = merge(local.tags,
78 | { Name = lower(format("public-alb-webgate")) }
79 | )
80 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg_public
File: /ccms-ec2-oracle_webgate-alb.tf:100-111
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
100 | resource "aws_lb_target_group" "webgate_tg_public" {
101 | name = lower(format("public-alb-webgate-tg"))
102 | port = 5401
103 | protocol = "HTTP"
104 | vpc_id = data.aws_vpc.shared.id
105 | health_check {
106 | port = 5401
107 | protocol = "HTTP"
108 | matcher = 302
109 | timeout = 10
110 | }
111 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.webgate_nlb
File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "webgate_nlb" {
17 | name = lower(format("public-nlb-webgate"))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.webgate_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.webgate_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.webgate_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("public-nlb-webgate")) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.certificate_expiration_alerts
File: /ccms-lambda-certificate-monitor.tf:72-77
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
72 | resource "aws_sns_topic" "certificate_expiration_alerts" {
73 | name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
74 | tags = merge(local.tags, {
75 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
76 | })
77 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:42-47
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
42 | resource "aws_sns_topic" "payment_load_monitor" {
43 | name = "${local.application_name}-${local.environment}-payment-load-monitor"
44 | tags = merge(local.tags, {
45 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
46 | })
47 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket
File: /ccms-s3.tf:2-71
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-logging
File: /ccms-s3.tf:98-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-dbbackup
File: /ccms-s3.tf:190-258
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
FAILED for resource: aws_ses_configuration_set.default_configuration_set
File: /ccms-ses.tf:35-43
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365
35 | resource "aws_ses_configuration_set" "default_configuration_set" {
36 | name = "default-configuration-set"
37 |
38 | delivery_options {
39 | tls_policy = "Optional"
40 | }
41 | reputation_metrics_enabled = true
42 | sending_enabled = true
43 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.cw_alerts
File: /ccms-sns.tf:17-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
17 | resource "aws_sns_topic" "cw_alerts" {
18 | name = "ccms-ebs-ec2-alerts"
19 | #kms_master_key_id = "alias/aws/sns"
20 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.s3_topic
File: /ccms-sns.tf:34-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
34 | resource "aws_sns_topic" "s3_topic" {
35 | name = "s3-event-notification-topic"
36 | policy = data.aws_iam_policy_document.s3_topic_policy.json
37 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.ddos_alarm
File: /ccms-sns.tf:51-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
51 | resource "aws_sns_topic" "ddos_alarm" {
52 | name = format("%s_ddos_alarm", local.application_name)
53 | #kms_master_key_id = "alias/aws/sns"
54 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
File: /ccms-waf.tf:172-211
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2
172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
173 | name = "ebs_waf"
174 | scope = "REGIONAL"
175 | description = "AWS WAF Web ACL for EBS"
176 |
177 | default_action {
178 | block {}
179 | }
180 |
181 | rule {
182 | name = "ebs-trusted-rule"
183 |
184 | priority = 1
185 | action {
186 | allow {}
187 | }
188 |
189 | statement {
190 | ip_set_reference_statement {
191 | arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
192 | }
193 | }
194 |
195 | visibility_config {
196 | cloudwatch_metrics_enabled = true
197 | metric_name = "ebs_waf_metrics"
198 | sampled_requests_enabled = true
199 | }
200 | }
201 |
202 | tags = merge(local.tags,
203 | { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
204 | )
205 |
206 | visibility_config {
207 | cloudwatch_metrics_enabled = true
208 | metric_name = "ebs_waf_metrics"
209 | sampled_requests_enabled = true
210 | }
211 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cw_agent_config
File: /ccms-cloudwatch.tf:28-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted
28 | resource "aws_ssm_parameter" "cw_agent_config" {
29 | description = "cloud watch agent config"
30 | name = "cloud-watch-config"
31 | type = "String"
32 | value = file("./templates/cw_agent_config.json")
33 |
34 | tags = merge(local.tags,
35 | { Name = "cw-config" }
36 | )
37 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.oracle_ec2
File: /ccms-kms.tf:1-7
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64
1 | resource "aws_kms_key" "oracle_ec2" {
2 | enable_key_rotation = true
3 |
4 | tags = merge(local.tags,
5 | { Name = "oracle_ec2" }
6 | )
7 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.ebs_eip
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "ebs_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.webgate_eip
File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "webgate_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:23:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:24:lz_aws_account_id_env="${local.application_data.accounts[local.environment].lz_aws_account_id_env}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:25:lz_ftp_bucket_environment="${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:28:smtp_fqdn="${local.application_data.accounts[local.environment].ses_domain_identity}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:31:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T16:45:08Z INFO [vulndb] Need to update DB
2025-01-16T16:45:08Z INFO [vulndb] Downloading vulnerability DB...2025-01-16T16:45:08Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T16:45:10Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T16:45:10Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T16:45:10Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T16:45:10Z INFO [misconfig] Need to update the built-in checks
2025-01-16T16:45:10Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2025-01-16T16:45:11Z INFO [secret] Secret scanning is enabled
2025-01-16T16:45:11Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T16:45:11Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-16T16:45:12Z INFO [terraformscanner] Scanning root module file_path="."2025-01-16T16:45:12Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-16T16:45:12Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_cloudwatch_log_group.groups"value="cty.NilVal"2025-01-16T16:45:12Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_egress_traffic"value="cty.NilVal"2025-01-16T16:45:12Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_ingress_traffic"value="cty.NilVal"2025-01-16T16:45:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:45:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:45:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:45:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:45:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:45:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:45:13Z INFO [terraformscanner] Scanning root module file_path="modules"2025-01-16T16:45:13Z INFO [terraformscanner] Scanning root module file_path="modules/cw-logs"2025-01-16T16:45:16Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2025-01-16T16:45:16Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-user-attached-policies"range="ccms-iam.tf:283-289"2025-01-16T16:45:17Z INFO Number of language-specific files num=02025-01-16T16:45:17Z INFO Detected config files num=29
ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_accessgate" {
2 │ count=local.application_data.accounts[local.environment].accessgate_no_instances3 │ instance_type=local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate4 │ ami=local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index+1}"]
5 │ key_name=local.application_data.accounts[local.environment].key_name6 │ vpc_security_group_ids=[aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id=local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring=true..
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource"aws_lb""ebsapps_lb" {
2 │ name=lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal=false4 │ load_balancer_type="application"5 │ security_groups=[aws_security_group.sg_ebsapps_lb.id]
6 │ subnets=data.aws_subnets.shared-public.ids7 │
8 │ enable_deletion_protection=true9 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1resource"aws_lb""ebsapps_lb" {
.3 [ internal = false..19 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH):Loadbalancerisexposedpublicly.
════════════════════════════════════════
Therearemanyscenariosinwhichyouwouldwanttoexposealoadbalancertothewiderinternet, butthischeckexistsasawarningtopreventaccidentalexposureofinternalassets.Youshouldensurethatthisresourceshouldbeexposedpublicly.Seehttps://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18viaccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16resource"aws_lb""ebsapps_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH):InstancedoesnotrequireIMDSaccesstorequireatoken.
════════════════════════════════════════
IMDSv2 (Instance Metadata Service) introducedsessionauthenticationtokenswhichimprovesecuritywhentalkingtoIMDS.Bydefault<code>aws_instance</code>resourcesetsIMDSsessionauthtokenstobeoptional.TofullyprotectIMDSyouneedtoenablesessiontokensbyusing<code>metadata_options</code>blockandits<code>http_tokens</code>variablesetto<code>required</code>.Seehttps://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring =true9 └ ebs_optimized =false
..
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests:3 (SUCCESSES:0, FAILURES:3)
Failures:3 (HIGH:3, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb""webgate_lb" {
2 │ count = local.is-production ?1:13 │ name =lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal =true5 │ load_balancer_type ="application"6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection =true
..
────────────────────────────────────────
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb""webgate_public_lb" {
63 │ name =lower(format("public-alb-webgate"))
64 │ internal =false65 │ load_balancer_type ="application"66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection =true70 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb""webgate_public_lb" {
..
64 [ internal =false
..
80 }
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb""webgate_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-s3.tf (terraform)
======================
Tests:8 (SUCCESSES:0, FAILURES:8)
Failures:8 (HIGH:8, CRITICAL:0)
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/ccms-ebs
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T16:51:39Z INFO [vulndb] Need to update DB
2025-01-16T16:51:39Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T16:51:39Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T16:51:41Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T16:51:41Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T16:51:41Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T16:51:41Z INFO [misconfig] Need to update the built-in checks
2025-01-16T16:51:41Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-16T16:51:41Z INFO [secret] Secret scanning is enabled
2025-01-16T16:51:41Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T16:51:41Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T16:51:43Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T16:51:43Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T16:51:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2025-01-16T16:51:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2025-01-16T16:51:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2025-01-16T16:51:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:51:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:51:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:51:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:51:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:51:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:51:44Z INFO [terraform scanner] Scanning root module file_path="modules"
2025-01-16T16:51:44Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2025-01-16T16:51:47Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2025-01-16T16:51:47Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2025-01-16T16:51:47Z INFO Number of language-specific files num=0
2025-01-16T16:51:47Z INFO Detected config files num=29
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 16:51:50,029 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 967, Failed checks: 83, Skipped checks: 3
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.groups
File: /ccms-cloudwatch.tf:15-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
15 | resource "aws_cloudwatch_log_group" "groups" {
16 | for_each = local.application_data.cw_log_groups
17 | name = each.key
18 | retention_in_days = each.value.retention_days
19 |
20 | tags = merge(
21 | local.tags,
22 | {
23 | Name = each.key
24 | },
25 | )
26 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
File: /ccms-cloudwatch.tf:54-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ftp
File: /ccms-ec2-ftp.tf:1-67
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_mailrelay
File: /ccms-ec2-mailrelay.tf:2-57
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.ebsapps_lb
File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "ebsapps_lb" {
2 | name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 | subnets = data.aws_subnets.shared-public.ids
7 |
8 | enable_deletion_protection = true
9 |
10 | access_logs {
11 | bucket = module.s3-bucket-logging.bucket.id
12 | prefix = local.lb_log_prefix_ebsapp
13 | enabled = true
14 | }
15 |
16 | tags = merge(local.tags,
17 | { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
18 | )
19 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.ebsapp_tg
File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
39 | resource "aws_lb_target_group" "ebsapp_tg" {
40 | name = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
41 | port = local.application_data.accounts[local.environment].tg_apps_port
42 | protocol = "HTTP"
43 | vpc_id = data.aws_vpc.shared.id
44 | health_check {
45 | port = local.application_data.accounts[local.environment].tg_apps_port
46 | protocol = "HTTP"
47 | }
48 |
49 | stickiness {
50 | enabled = true
51 | type = "lb_cookie"
52 | cookie_duration = 3600
53 | }
54 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.ebsapps_nlb
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "ebsapps_nlb" {
17 | name = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.ebs_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.ebs_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.ebs_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_lb
File: /ccms-ec2-oracle_webgate-alb.tf:1-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "webgate_lb" {
2 | count = local.is-production ? 1 : 1
3 | name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 | internal = true
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.sg_webgate_lb.id]
7 | subnets = data.aws_subnets.shared-private.ids
8 |
9 | enable_deletion_protection = true
10 |
11 | access_logs {
12 | bucket = module.s3-bucket-logging.bucket.id
13 | prefix = local.lb_log_prefix_wgate
14 | enabled = true
15 | }
16 |
17 | tags = merge(local.tags,
18 | { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
19 | )
20 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg
File: /ccms-ec2-oracle_webgate-alb.tf:40-52
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
40 | resource "aws_lb_target_group" "webgate_tg" {
41 | count = local.is-production ? 1 : 1
42 | name = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
43 | port = 5401
44 | protocol = "HTTP"
45 | vpc_id = data.aws_vpc.shared.id
46 | health_check {
47 | port = 5401
48 | protocol = "HTTP"
49 | matcher = 302
50 | timeout = 10
51 | }
52 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_public_lb
File: /ccms-ec2-oracle_webgate-alb.tf:62-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
62 | resource "aws_lb" "webgate_public_lb" {
63 | name = lower(format("public-alb-webgate"))
64 | internal = false
65 | load_balancer_type = "application"
66 | security_groups = [aws_security_group.sg_webgate_lb.id]
67 | subnets = data.aws_subnets.shared-public.ids
68 |
69 | enable_deletion_protection = true
70 |
71 | access_logs {
72 | bucket = module.s3-bucket-logging.bucket.id
73 | prefix = local.lb_log_prefix_wgate_public
74 | enabled = true
75 | }
76 |
77 | tags = merge(local.tags,
78 | { Name = lower(format("public-alb-webgate")) }
79 | )
80 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg_public
File: /ccms-ec2-oracle_webgate-alb.tf:100-111
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
100 | resource "aws_lb_target_group" "webgate_tg_public" {
101 | name = lower(format("public-alb-webgate-tg"))
102 | port = 5401
103 | protocol = "HTTP"
104 | vpc_id = data.aws_vpc.shared.id
105 | health_check {
106 | port = 5401
107 | protocol = "HTTP"
108 | matcher = 302
109 | timeout = 10
110 | }
111 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.webgate_nlb
File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "webgate_nlb" {
17 | name = lower(format("public-nlb-webgate"))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.webgate_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.webgate_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.webgate_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("public-nlb-webgate")) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.certificate_expiration_alerts
File: /ccms-lambda-certificate-monitor.tf:72-77
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
72 | resource "aws_sns_topic" "certificate_expiration_alerts" {
73 | name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
74 | tags = merge(local.tags, {
75 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
76 | })
77 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:42-47
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
42 | resource "aws_sns_topic" "payment_load_monitor" {
43 | name = "${local.application_name}-${local.environment}-payment-load-monitor"
44 | tags = merge(local.tags, {
45 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
46 | })
47 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket
File: /ccms-s3.tf:2-71
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-logging
File: /ccms-s3.tf:98-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-dbbackup
File: /ccms-s3.tf:190-258
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
FAILED for resource: aws_ses_configuration_set.default_configuration_set
File: /ccms-ses.tf:35-43
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365
35 | resource "aws_ses_configuration_set" "default_configuration_set" {
36 | name = "default-configuration-set"
37 |
38 | delivery_options {
39 | tls_policy = "Optional"
40 | }
41 | reputation_metrics_enabled = true
42 | sending_enabled = true
43 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.cw_alerts
File: /ccms-sns.tf:17-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
17 | resource "aws_sns_topic" "cw_alerts" {
18 | name = "ccms-ebs-ec2-alerts"
19 | #kms_master_key_id = "alias/aws/sns"
20 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.s3_topic
File: /ccms-sns.tf:34-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
34 | resource "aws_sns_topic" "s3_topic" {
35 | name = "s3-event-notification-topic"
36 | policy = data.aws_iam_policy_document.s3_topic_policy.json
37 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.ddos_alarm
File: /ccms-sns.tf:51-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
51 | resource "aws_sns_topic" "ddos_alarm" {
52 | name = format("%s_ddos_alarm", local.application_name)
53 | #kms_master_key_id = "alias/aws/sns"
54 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
File: /ccms-waf.tf:172-211
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2
172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
173 | name = "ebs_waf"
174 | scope = "REGIONAL"
175 | description = "AWS WAF Web ACL for EBS"
176 |
177 | default_action {
178 | block {}
179 | }
180 |
181 | rule {
182 | name = "ebs-trusted-rule"
183 |
184 | priority = 1
185 | action {
186 | allow {}
187 | }
188 |
189 | statement {
190 | ip_set_reference_statement {
191 | arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
192 | }
193 | }
194 |
195 | visibility_config {
196 | cloudwatch_metrics_enabled = true
197 | metric_name = "ebs_waf_metrics"
198 | sampled_requests_enabled = true
199 | }
200 | }
201 |
202 | tags = merge(local.tags,
203 | { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
204 | )
205 |
206 | visibility_config {
207 | cloudwatch_metrics_enabled = true
208 | metric_name = "ebs_waf_metrics"
209 | sampled_requests_enabled = true
210 | }
211 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cw_agent_config
File: /ccms-cloudwatch.tf:28-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted
28 | resource "aws_ssm_parameter" "cw_agent_config" {
29 | description = "cloud watch agent config"
30 | name = "cloud-watch-config"
31 | type = "String"
32 | value = file("./templates/cw_agent_config.json")
33 |
34 | tags = merge(local.tags,
35 | { Name = "cw-config" }
36 | )
37 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.oracle_ec2
File: /ccms-kms.tf:1-7
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64
1 | resource "aws_kms_key" "oracle_ec2" {
2 | enable_key_rotation = true
3 |
4 | tags = merge(local.tags,
5 | { Name = "oracle_ec2" }
6 | )
7 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.ebs_eip
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "ebs_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.webgate_eip
File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "webgate_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:23:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:24:lz_aws_account_id_env="${local.application_data.accounts[local.environment].lz_aws_account_id_env}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:25:lz_ftp_bucket_environment="${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:28:smtp_fqdn="${local.application_data.accounts[local.environment].ses_domain_identity}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:31:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T16:51:39Z INFO [vulndb] Need to update DB
2025-01-16T16:51:39Z INFO [vulndb] Downloading vulnerability DB...2025-01-16T16:51:39Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T16:51:41Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T16:51:41Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T16:51:41Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T16:51:41Z INFO [misconfig] Need to update the built-in checks
2025-01-16T16:51:41Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [---------------------------------------------------------] 100.00%? p/s 0s2025-01-16T16:51:41Z INFO [secret] Secret scanning is enabled
2025-01-16T16:51:41Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T16:51:41Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-16T16:51:43Z INFO [terraformscanner] Scanning root module file_path="."2025-01-16T16:51:43Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-16T16:51:43Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_cloudwatch_log_group.groups"value="cty.NilVal"2025-01-16T16:51:43Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_egress_traffic"value="cty.NilVal"2025-01-16T16:51:43Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_ingress_traffic"value="cty.NilVal"2025-01-16T16:51:43Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:51:43Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:51:43Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:51:43Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:51:43Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:51:43Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:51:44Z INFO [terraformscanner] Scanning root module file_path="modules"2025-01-16T16:51:44Z INFO [terraformscanner] Scanning root module file_path="modules/cw-logs"2025-01-16T16:51:47Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-user-attached-policies"range="ccms-iam.tf:283-289"2025-01-16T16:51:47Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2025-01-16T16:51:47Z INFO Number of language-specific files num=02025-01-16T16:51:47Z INFO Detected config files num=29
ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_accessgate" {
2 │ count=local.application_data.accounts[local.environment].accessgate_no_instances3 │ instance_type=local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate4 │ ami=local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index+1}"]
5 │ key_name=local.application_data.accounts[local.environment].key_name6 │ vpc_security_group_ids=[aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id=local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring=true..
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource"aws_lb""ebsapps_lb" {
2 │ name=lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal=false4 │ load_balancer_type="application"5 │ security_groups=[aws_security_group.sg_ebsapps_lb.id]
6 │ subnets=data.aws_subnets.shared-public.ids7 │
8 │ enable_deletion_protection=true9 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1resource"aws_lb""ebsapps_lb" {
.3 [ internal = false..19 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH):Loadbalancerisexposedpublicly.
════════════════════════════════════════
Therearemanyscenariosinwhichyouwouldwanttoexposealoadbalancertothewiderinternet, butthischeckexistsasawarningtopreventaccidentalexposureofinternalassets.Youshouldensurethatthisresourceshouldbeexposedpublicly.Seehttps://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18viaccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16resource"aws_lb""ebsapps_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH):InstancedoesnotrequireIMDSaccesstorequireatoken.
════════════════════════════════════════
IMDSv2 (Instance Metadata Service) introducedsessionauthenticationtokenswhichimprovesecuritywhentalkingtoIMDS.Bydefault<code>aws_instance</code>resourcesetsIMDSsessionauthtokenstobeoptional.TofullyprotectIMDSyouneedtoenablesessiontokensbyusing<code>metadata_options</code>blockandits<code>http_tokens</code>variablesetto<code>required</code>.Seehttps://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring =true9 └ ebs_optimized =false
..
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests:3 (SUCCESSES:0, FAILURES:3)
Failures:3 (HIGH:3, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb""webgate_lb" {
2 │ count = local.is-production ?1:13 │ name =lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal =true5 │ load_balancer_type ="application"6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection =true
..
────────────────────────────────────────
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb""webgate_public_lb" {
63 │ name =lower(format("public-alb-webgate"))
64 │ internal =false65 │ load_balancer_type ="application"66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection =true70 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb""webgate_public_lb" {
..
64 [ internal =false
..
80 }
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb""webgate_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-s3.tf (terraform)
======================
Tests:8 (SUCCESSES:0, FAILURES:8)
Failures:8 (HIGH:8, CRITICAL:0)
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/ccms-ebs
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T16:55:08Z INFO [vulndb] Need to update DB
2025-01-16T16:55:08Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T16:55:08Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T16:55:10Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T16:55:10Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T16:55:10Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T16:55:10Z INFO [misconfig] Need to update the built-in checks
2025-01-16T16:55:10Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-16T16:55:11Z INFO [secret] Secret scanning is enabled
2025-01-16T16:55:11Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T16:55:11Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T16:55:12Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T16:55:12Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T16:55:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2025-01-16T16:55:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2025-01-16T16:55:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2025-01-16T16:55:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:55:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:55:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:55:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:55:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:55:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T16:55:13Z INFO [terraform scanner] Scanning root module file_path="modules"
2025-01-16T16:55:13Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2025-01-16T16:55:16Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2025-01-16T16:55:16Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2025-01-16T16:55:17Z INFO Number of language-specific files num=0
2025-01-16T16:55:17Z INFO Detected config files num=29
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 16:55:20,061 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 967, Failed checks: 83, Skipped checks: 3
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
File: /ccms-cloudwatch.tf:54-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.groups
File: /ccms-cloudwatch.tf:15-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
15 | resource "aws_cloudwatch_log_group" "groups" {
16 | for_each = local.application_data.cw_log_groups
17 | name = each.key
18 | retention_in_days = each.value.retention_days
19 |
20 | tags = merge(
21 | local.tags,
22 | {
23 | Name = each.key
24 | },
25 | )
26 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ftp
File: /ccms-ec2-ftp.tf:1-67
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_mailrelay
File: /ccms-ec2-mailrelay.tf:2-57
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.ebsapps_lb
File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "ebsapps_lb" {
2 | name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 | subnets = data.aws_subnets.shared-public.ids
7 |
8 | enable_deletion_protection = true
9 |
10 | access_logs {
11 | bucket = module.s3-bucket-logging.bucket.id
12 | prefix = local.lb_log_prefix_ebsapp
13 | enabled = true
14 | }
15 |
16 | tags = merge(local.tags,
17 | { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
18 | )
19 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.ebsapp_tg
File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
39 | resource "aws_lb_target_group" "ebsapp_tg" {
40 | name = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
41 | port = local.application_data.accounts[local.environment].tg_apps_port
42 | protocol = "HTTP"
43 | vpc_id = data.aws_vpc.shared.id
44 | health_check {
45 | port = local.application_data.accounts[local.environment].tg_apps_port
46 | protocol = "HTTP"
47 | }
48 |
49 | stickiness {
50 | enabled = true
51 | type = "lb_cookie"
52 | cookie_duration = 3600
53 | }
54 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.ebsapps_nlb
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "ebsapps_nlb" {
17 | name = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.ebs_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.ebs_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.ebs_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_lb
File: /ccms-ec2-oracle_webgate-alb.tf:1-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "webgate_lb" {
2 | count = local.is-production ? 1 : 1
3 | name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 | internal = true
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.sg_webgate_lb.id]
7 | subnets = data.aws_subnets.shared-private.ids
8 |
9 | enable_deletion_protection = true
10 |
11 | access_logs {
12 | bucket = module.s3-bucket-logging.bucket.id
13 | prefix = local.lb_log_prefix_wgate
14 | enabled = true
15 | }
16 |
17 | tags = merge(local.tags,
18 | { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
19 | )
20 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg
File: /ccms-ec2-oracle_webgate-alb.tf:40-52
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
40 | resource "aws_lb_target_group" "webgate_tg" {
41 | count = local.is-production ? 1 : 1
42 | name = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
43 | port = 5401
44 | protocol = "HTTP"
45 | vpc_id = data.aws_vpc.shared.id
46 | health_check {
47 | port = 5401
48 | protocol = "HTTP"
49 | matcher = 302
50 | timeout = 10
51 | }
52 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_public_lb
File: /ccms-ec2-oracle_webgate-alb.tf:62-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
62 | resource "aws_lb" "webgate_public_lb" {
63 | name = lower(format("public-alb-webgate"))
64 | internal = false
65 | load_balancer_type = "application"
66 | security_groups = [aws_security_group.sg_webgate_lb.id]
67 | subnets = data.aws_subnets.shared-public.ids
68 |
69 | enable_deletion_protection = true
70 |
71 | access_logs {
72 | bucket = module.s3-bucket-logging.bucket.id
73 | prefix = local.lb_log_prefix_wgate_public
74 | enabled = true
75 | }
76 |
77 | tags = merge(local.tags,
78 | { Name = lower(format("public-alb-webgate")) }
79 | )
80 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg_public
File: /ccms-ec2-oracle_webgate-alb.tf:100-111
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
100 | resource "aws_lb_target_group" "webgate_tg_public" {
101 | name = lower(format("public-alb-webgate-tg"))
102 | port = 5401
103 | protocol = "HTTP"
104 | vpc_id = data.aws_vpc.shared.id
105 | health_check {
106 | port = 5401
107 | protocol = "HTTP"
108 | matcher = 302
109 | timeout = 10
110 | }
111 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.webgate_nlb
File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "webgate_nlb" {
17 | name = lower(format("public-nlb-webgate"))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.webgate_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.webgate_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.webgate_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("public-nlb-webgate")) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.certificate_expiration_alerts
File: /ccms-lambda-certificate-monitor.tf:72-77
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
72 | resource "aws_sns_topic" "certificate_expiration_alerts" {
73 | name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
74 | tags = merge(local.tags, {
75 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
76 | })
77 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:42-47
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
42 | resource "aws_sns_topic" "payment_load_monitor" {
43 | name = "${local.application_name}-${local.environment}-payment-load-monitor"
44 | tags = merge(local.tags, {
45 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
46 | })
47 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket
File: /ccms-s3.tf:2-71
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-logging
File: /ccms-s3.tf:98-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-dbbackup
File: /ccms-s3.tf:190-258
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
FAILED for resource: aws_ses_configuration_set.default_configuration_set
File: /ccms-ses.tf:35-43
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365
35 | resource "aws_ses_configuration_set" "default_configuration_set" {
36 | name = "default-configuration-set"
37 |
38 | delivery_options {
39 | tls_policy = "Optional"
40 | }
41 | reputation_metrics_enabled = true
42 | sending_enabled = true
43 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.cw_alerts
File: /ccms-sns.tf:17-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
17 | resource "aws_sns_topic" "cw_alerts" {
18 | name = "ccms-ebs-ec2-alerts"
19 | #kms_master_key_id = "alias/aws/sns"
20 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.s3_topic
File: /ccms-sns.tf:34-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
34 | resource "aws_sns_topic" "s3_topic" {
35 | name = "s3-event-notification-topic"
36 | policy = data.aws_iam_policy_document.s3_topic_policy.json
37 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.ddos_alarm
File: /ccms-sns.tf:51-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
51 | resource "aws_sns_topic" "ddos_alarm" {
52 | name = format("%s_ddos_alarm", local.application_name)
53 | #kms_master_key_id = "alias/aws/sns"
54 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
File: /ccms-waf.tf:172-211
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2
172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
173 | name = "ebs_waf"
174 | scope = "REGIONAL"
175 | description = "AWS WAF Web ACL for EBS"
176 |
177 | default_action {
178 | block {}
179 | }
180 |
181 | rule {
182 | name = "ebs-trusted-rule"
183 |
184 | priority = 1
185 | action {
186 | allow {}
187 | }
188 |
189 | statement {
190 | ip_set_reference_statement {
191 | arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
192 | }
193 | }
194 |
195 | visibility_config {
196 | cloudwatch_metrics_enabled = true
197 | metric_name = "ebs_waf_metrics"
198 | sampled_requests_enabled = true
199 | }
200 | }
201 |
202 | tags = merge(local.tags,
203 | { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
204 | )
205 |
206 | visibility_config {
207 | cloudwatch_metrics_enabled = true
208 | metric_name = "ebs_waf_metrics"
209 | sampled_requests_enabled = true
210 | }
211 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cw_agent_config
File: /ccms-cloudwatch.tf:28-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted
28 | resource "aws_ssm_parameter" "cw_agent_config" {
29 | description = "cloud watch agent config"
30 | name = "cloud-watch-config"
31 | type = "String"
32 | value = file("./templates/cw_agent_config.json")
33 |
34 | tags = merge(local.tags,
35 | { Name = "cw-config" }
36 | )
37 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.oracle_ec2
File: /ccms-kms.tf:1-7
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64
1 | resource "aws_kms_key" "oracle_ec2" {
2 | enable_key_rotation = true
3 |
4 | tags = merge(local.tags,
5 | { Name = "oracle_ec2" }
6 | )
7 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.ebs_eip
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "ebs_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.webgate_eip
File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "webgate_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:23:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:24:lz_aws_account_id_env="${local.application_data.accounts[local.environment].lz_aws_account_id_env}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:25:lz_ftp_bucket_environment="${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:28:smtp_fqdn="${local.application_data.accounts[local.environment].ses_domain_identity}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:31:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T16:55:08Z INFO [vulndb] Need to update DB
2025-01-16T16:55:08Z INFO [vulndb] Downloading vulnerability DB...2025-01-16T16:55:08Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T16:55:10Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T16:55:10Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T16:55:10Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T16:55:10Z INFO [misconfig] Need to update the built-in checks
2025-01-16T16:55:10Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [---------------------------------------------------------] 100.00%? p/s 0s2025-01-16T16:55:11Z INFO [secret] Secret scanning is enabled
2025-01-16T16:55:11Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T16:55:11Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-16T16:55:12Z INFO [terraformscanner] Scanning root module file_path="."2025-01-16T16:55:12Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-16T16:55:12Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_cloudwatch_log_group.groups"value="cty.NilVal"2025-01-16T16:55:12Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_egress_traffic"value="cty.NilVal"2025-01-16T16:55:12Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_ingress_traffic"value="cty.NilVal"2025-01-16T16:55:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:55:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:55:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:55:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:55:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:55:13Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T16:55:13Z INFO [terraformscanner] Scanning root module file_path="modules"2025-01-16T16:55:13Z INFO [terraformscanner] Scanning root module file_path="modules/cw-logs"2025-01-16T16:55:16Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2025-01-16T16:55:16Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-user-attached-policies"range="ccms-iam.tf:283-289"2025-01-16T16:55:17Z INFO Number of language-specific files num=02025-01-16T16:55:17Z INFO Detected config files num=29
ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_accessgate" {
2 │ count=local.application_data.accounts[local.environment].accessgate_no_instances3 │ instance_type=local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate4 │ ami=local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index+1}"]
5 │ key_name=local.application_data.accounts[local.environment].key_name6 │ vpc_security_group_ids=[aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id=local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring=true..
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource"aws_lb""ebsapps_lb" {
2 │ name=lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal=false4 │ load_balancer_type="application"5 │ security_groups=[aws_security_group.sg_ebsapps_lb.id]
6 │ subnets=data.aws_subnets.shared-public.ids7 │
8 │ enable_deletion_protection=true9 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1resource"aws_lb""ebsapps_lb" {
.3 [ internal = false..19 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH):Loadbalancerisexposedpublicly.
════════════════════════════════════════
Therearemanyscenariosinwhichyouwouldwanttoexposealoadbalancertothewiderinternet, butthischeckexistsasawarningtopreventaccidentalexposureofinternalassets.Youshouldensurethatthisresourceshouldbeexposedpublicly.Seehttps://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18viaccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16resource"aws_lb""ebsapps_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH):InstancedoesnotrequireIMDSaccesstorequireatoken.
════════════════════════════════════════
IMDSv2 (Instance Metadata Service) introducedsessionauthenticationtokenswhichimprovesecuritywhentalkingtoIMDS.Bydefault<code>aws_instance</code>resourcesetsIMDSsessionauthtokenstobeoptional.TofullyprotectIMDSyouneedtoenablesessiontokensbyusing<code>metadata_options</code>blockandits<code>http_tokens</code>variablesetto<code>required</code>.Seehttps://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring =true9 └ ebs_optimized =false
..
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests:3 (SUCCESSES:0, FAILURES:3)
Failures:3 (HIGH:3, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb""webgate_lb" {
2 │ count = local.is-production ?1:13 │ name =lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal =true5 │ load_balancer_type ="application"6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection =true
..
────────────────────────────────────────
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb""webgate_public_lb" {
63 │ name =lower(format("public-alb-webgate"))
64 │ internal =false65 │ load_balancer_type ="application"66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection =true70 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb""webgate_public_lb" {
..
64 [ internal =false
..
80 }
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb""webgate_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-s3.tf (terraform)
======================
Tests:8 (SUCCESSES:0, FAILURES:8)
Failures:8 (HIGH:8, CRITICAL:0)
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/ccms-ebs
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:03:45Z INFO [vulndb] Need to update DB
2025-01-16T17:03:45Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T17:03:45Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:03:47Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:03:47Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:03:47Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:03:47Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:03:47Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:03:47Z INFO [secret] Secret scanning is enabled
2025-01-16T17:03:47Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:03:47Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:03:49Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T17:03:49Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T17:03:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2025-01-16T17:03:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2025-01-16T17:03:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2025-01-16T17:03:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:03:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:03:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:03:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:03:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:03:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:03:50Z INFO [terraform scanner] Scanning root module file_path="modules"
2025-01-16T17:03:50Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2025-01-16T17:03:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2025-01-16T17:03:53Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2025-01-16T17:03:54Z INFO Number of language-specific files num=0
2025-01-16T17:03:54Z INFO Detected config files num=29
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 17:03:56,684 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 967, Failed checks: 83, Skipped checks: 3
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.groups
File: /ccms-cloudwatch.tf:15-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
15 | resource "aws_cloudwatch_log_group" "groups" {
16 | for_each = local.application_data.cw_log_groups
17 | name = each.key
18 | retention_in_days = each.value.retention_days
19 |
20 | tags = merge(
21 | local.tags,
22 | {
23 | Name = each.key
24 | },
25 | )
26 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
File: /ccms-cloudwatch.tf:54-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ftp
File: /ccms-ec2-ftp.tf:1-67
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_mailrelay
File: /ccms-ec2-mailrelay.tf:2-57
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.ebsapps_lb
File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "ebsapps_lb" {
2 | name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 | subnets = data.aws_subnets.shared-public.ids
7 |
8 | enable_deletion_protection = true
9 |
10 | access_logs {
11 | bucket = module.s3-bucket-logging.bucket.id
12 | prefix = local.lb_log_prefix_ebsapp
13 | enabled = true
14 | }
15 |
16 | tags = merge(local.tags,
17 | { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
18 | )
19 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.ebsapp_tg
File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
39 | resource "aws_lb_target_group" "ebsapp_tg" {
40 | name = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
41 | port = local.application_data.accounts[local.environment].tg_apps_port
42 | protocol = "HTTP"
43 | vpc_id = data.aws_vpc.shared.id
44 | health_check {
45 | port = local.application_data.accounts[local.environment].tg_apps_port
46 | protocol = "HTTP"
47 | }
48 |
49 | stickiness {
50 | enabled = true
51 | type = "lb_cookie"
52 | cookie_duration = 3600
53 | }
54 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.ebsapps_nlb
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "ebsapps_nlb" {
17 | name = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.ebs_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.ebs_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.ebs_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_lb
File: /ccms-ec2-oracle_webgate-alb.tf:1-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "webgate_lb" {
2 | count = local.is-production ? 1 : 1
3 | name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 | internal = true
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.sg_webgate_lb.id]
7 | subnets = data.aws_subnets.shared-private.ids
8 |
9 | enable_deletion_protection = true
10 |
11 | access_logs {
12 | bucket = module.s3-bucket-logging.bucket.id
13 | prefix = local.lb_log_prefix_wgate
14 | enabled = true
15 | }
16 |
17 | tags = merge(local.tags,
18 | { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
19 | )
20 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg
File: /ccms-ec2-oracle_webgate-alb.tf:40-52
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
40 | resource "aws_lb_target_group" "webgate_tg" {
41 | count = local.is-production ? 1 : 1
42 | name = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
43 | port = 5401
44 | protocol = "HTTP"
45 | vpc_id = data.aws_vpc.shared.id
46 | health_check {
47 | port = 5401
48 | protocol = "HTTP"
49 | matcher = 302
50 | timeout = 10
51 | }
52 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_public_lb
File: /ccms-ec2-oracle_webgate-alb.tf:62-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
62 | resource "aws_lb" "webgate_public_lb" {
63 | name = lower(format("public-alb-webgate"))
64 | internal = false
65 | load_balancer_type = "application"
66 | security_groups = [aws_security_group.sg_webgate_lb.id]
67 | subnets = data.aws_subnets.shared-public.ids
68 |
69 | enable_deletion_protection = true
70 |
71 | access_logs {
72 | bucket = module.s3-bucket-logging.bucket.id
73 | prefix = local.lb_log_prefix_wgate_public
74 | enabled = true
75 | }
76 |
77 | tags = merge(local.tags,
78 | { Name = lower(format("public-alb-webgate")) }
79 | )
80 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg_public
File: /ccms-ec2-oracle_webgate-alb.tf:100-111
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
100 | resource "aws_lb_target_group" "webgate_tg_public" {
101 | name = lower(format("public-alb-webgate-tg"))
102 | port = 5401
103 | protocol = "HTTP"
104 | vpc_id = data.aws_vpc.shared.id
105 | health_check {
106 | port = 5401
107 | protocol = "HTTP"
108 | matcher = 302
109 | timeout = 10
110 | }
111 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.webgate_nlb
File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "webgate_nlb" {
17 | name = lower(format("public-nlb-webgate"))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.webgate_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.webgate_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.webgate_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("public-nlb-webgate")) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.certificate_expiration_alerts
File: /ccms-lambda-certificate-monitor.tf:72-77
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
72 | resource "aws_sns_topic" "certificate_expiration_alerts" {
73 | name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
74 | tags = merge(local.tags, {
75 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
76 | })
77 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.payment_load_notifications
File: /ccms-lambda-monitor-payment-load.tf:42-47
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
42 | resource "aws_sns_topic" "payment_load_notifications" {
43 | name = "${local.application_name}-${local.environment}-payment-load-notifications"
44 | tags = merge(local.tags, {
45 | Name = "${local.application_name}-${local.environment}-payment-load-notifications"
46 | })
47 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_monitor.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket
File: /ccms-s3.tf:2-71
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-logging
File: /ccms-s3.tf:98-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-dbbackup
File: /ccms-s3.tf:190-258
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
FAILED for resource: aws_ses_configuration_set.default_configuration_set
File: /ccms-ses.tf:35-43
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365
35 | resource "aws_ses_configuration_set" "default_configuration_set" {
36 | name = "default-configuration-set"
37 |
38 | delivery_options {
39 | tls_policy = "Optional"
40 | }
41 | reputation_metrics_enabled = true
42 | sending_enabled = true
43 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.cw_alerts
File: /ccms-sns.tf:17-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
17 | resource "aws_sns_topic" "cw_alerts" {
18 | name = "ccms-ebs-ec2-alerts"
19 | #kms_master_key_id = "alias/aws/sns"
20 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.s3_topic
File: /ccms-sns.tf:34-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
34 | resource "aws_sns_topic" "s3_topic" {
35 | name = "s3-event-notification-topic"
36 | policy = data.aws_iam_policy_document.s3_topic_policy.json
37 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.ddos_alarm
File: /ccms-sns.tf:51-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
51 | resource "aws_sns_topic" "ddos_alarm" {
52 | name = format("%s_ddos_alarm", local.application_name)
53 | #kms_master_key_id = "alias/aws/sns"
54 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
File: /ccms-waf.tf:172-211
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2
172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
173 | name = "ebs_waf"
174 | scope = "REGIONAL"
175 | description = "AWS WAF Web ACL for EBS"
176 |
177 | default_action {
178 | block {}
179 | }
180 |
181 | rule {
182 | name = "ebs-trusted-rule"
183 |
184 | priority = 1
185 | action {
186 | allow {}
187 | }
188 |
189 | statement {
190 | ip_set_reference_statement {
191 | arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
192 | }
193 | }
194 |
195 | visibility_config {
196 | cloudwatch_metrics_enabled = true
197 | metric_name = "ebs_waf_metrics"
198 | sampled_requests_enabled = true
199 | }
200 | }
201 |
202 | tags = merge(local.tags,
203 | { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
204 | )
205 |
206 | visibility_config {
207 | cloudwatch_metrics_enabled = true
208 | metric_name = "ebs_waf_metrics"
209 | sampled_requests_enabled = true
210 | }
211 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cw_agent_config
File: /ccms-cloudwatch.tf:28-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted
28 | resource "aws_ssm_parameter" "cw_agent_config" {
29 | description = "cloud watch agent config"
30 | name = "cloud-watch-config"
31 | type = "String"
32 | value = file("./templates/cw_agent_config.json")
33 |
34 | tags = merge(local.tags,
35 | { Name = "cw-config" }
36 | )
37 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.oracle_ec2
File: /ccms-kms.tf:1-7
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64
1 | resource "aws_kms_key" "oracle_ec2" {
2 | enable_key_rotation = true
3 |
4 | tags = merge(local.tags,
5 | { Name = "oracle_ec2" }
6 | )
7 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.ebs_eip
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "ebs_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.webgate_eip
File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "webgate_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:23:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:24:lz_aws_account_id_env="${local.application_data.accounts[local.environment].lz_aws_account_id_env}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:25:lz_ftp_bucket_environment="${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:28:smtp_fqdn="${local.application_data.accounts[local.environment].ses_domain_identity}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:31:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:03:45Z INFO [vulndb] Need to update DB
2025-01-16T17:03:45Z INFO [vulndb] Downloading vulnerability DB...2025-01-16T17:03:45Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:03:47Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:03:47Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:03:47Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:03:47Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:03:47Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2025-01-16T17:03:47Z INFO [secret] Secret scanning is enabled
2025-01-16T17:03:47Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:03:47Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-16T17:03:49Z INFO [terraformscanner] Scanning root module file_path="."2025-01-16T17:03:49Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-16T17:03:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_cloudwatch_log_group.groups"value="cty.NilVal"2025-01-16T17:03:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_egress_traffic"value="cty.NilVal"2025-01-16T17:03:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_ingress_traffic"value="cty.NilVal"2025-01-16T17:03:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:03:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:03:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:03:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:03:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:03:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:03:50Z INFO [terraformscanner] Scanning root module file_path="modules"2025-01-16T17:03:50Z INFO [terraformscanner] Scanning root module file_path="modules/cw-logs"2025-01-16T17:03:53Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2025-01-16T17:03:53Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-user-attached-policies"range="ccms-iam.tf:283-289"2025-01-16T17:03:54Z INFO Number of language-specific files num=02025-01-16T17:03:54Z INFO Detected config files num=29
ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_accessgate" {
2 │ count=local.application_data.accounts[local.environment].accessgate_no_instances3 │ instance_type=local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate4 │ ami=local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index+1}"]
5 │ key_name=local.application_data.accounts[local.environment].key_name6 │ vpc_security_group_ids=[aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id=local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring=true..
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource"aws_lb""ebsapps_lb" {
2 │ name=lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal=false4 │ load_balancer_type="application"5 │ security_groups=[aws_security_group.sg_ebsapps_lb.id]
6 │ subnets=data.aws_subnets.shared-public.ids7 │
8 │ enable_deletion_protection=true9 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1resource"aws_lb""ebsapps_lb" {
.3 [ internal = false..19 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH):Loadbalancerisexposedpublicly.
════════════════════════════════════════
Therearemanyscenariosinwhichyouwouldwanttoexposealoadbalancertothewiderinternet, butthischeckexistsasawarningtopreventaccidentalexposureofinternalassets.Youshouldensurethatthisresourceshouldbeexposedpublicly.Seehttps://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18viaccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16resource"aws_lb""ebsapps_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH):InstancedoesnotrequireIMDSaccesstorequireatoken.
════════════════════════════════════════
IMDSv2 (Instance Metadata Service) introducedsessionauthenticationtokenswhichimprovesecuritywhentalkingtoIMDS.Bydefault<code>aws_instance</code>resourcesetsIMDSsessionauthtokenstobeoptional.TofullyprotectIMDSyouneedtoenablesessiontokensbyusing<code>metadata_options</code>blockandits<code>http_tokens</code>variablesetto<code>required</code>.Seehttps://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring =true9 └ ebs_optimized =false
..
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests:3 (SUCCESSES:0, FAILURES:3)
Failures:3 (HIGH:3, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb""webgate_lb" {
2 │ count = local.is-production ?1:13 │ name =lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal =true5 │ load_balancer_type ="application"6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection =true
..
────────────────────────────────────────
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb""webgate_public_lb" {
63 │ name =lower(format("public-alb-webgate"))
64 │ internal =false65 │ load_balancer_type ="application"66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection =true70 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb""webgate_public_lb" {
..
64 [ internal =false
..
80 }
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb""webgate_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-s3.tf (terraform)
======================
Tests:8 (SUCCESSES:0, FAILURES:8)
Failures:8 (HIGH:8, CRITICAL:0)
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/ccms-ebs
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:06:50Z INFO [vulndb] Need to update DB
2025-01-16T17:06:50Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T17:06:50Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:06:52Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:06:52Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:06:52Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:06:52Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:06:52Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:06:52Z INFO [secret] Secret scanning is enabled
2025-01-16T17:06:52Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:06:52Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:06:54Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T17:06:54Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T17:06:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2025-01-16T17:06:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2025-01-16T17:06:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2025-01-16T17:06:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:06:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:06:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:06:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:06:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:06:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:06:55Z INFO [terraform scanner] Scanning root module file_path="modules"
2025-01-16T17:06:55Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2025-01-16T17:06:57Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2025-01-16T17:06:57Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2025-01-16T17:06:59Z INFO Number of language-specific files num=0
2025-01-16T17:06:59Z INFO Detected config files num=29
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 17:07:01,636 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 967, Failed checks: 83, Skipped checks: 3
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
File: /ccms-cloudwatch.tf:54-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.groups
File: /ccms-cloudwatch.tf:15-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
15 | resource "aws_cloudwatch_log_group" "groups" {
16 | for_each = local.application_data.cw_log_groups
17 | name = each.key
18 | retention_in_days = each.value.retention_days
19 |
20 | tags = merge(
21 | local.tags,
22 | {
23 | Name = each.key
24 | },
25 | )
26 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ftp
File: /ccms-ec2-ftp.tf:1-67
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_mailrelay
File: /ccms-ec2-mailrelay.tf:2-57
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.ebsapps_lb
File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "ebsapps_lb" {
2 | name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 | subnets = data.aws_subnets.shared-public.ids
7 |
8 | enable_deletion_protection = true
9 |
10 | access_logs {
11 | bucket = module.s3-bucket-logging.bucket.id
12 | prefix = local.lb_log_prefix_ebsapp
13 | enabled = true
14 | }
15 |
16 | tags = merge(local.tags,
17 | { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
18 | )
19 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.ebsapp_tg
File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
39 | resource "aws_lb_target_group" "ebsapp_tg" {
40 | name = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
41 | port = local.application_data.accounts[local.environment].tg_apps_port
42 | protocol = "HTTP"
43 | vpc_id = data.aws_vpc.shared.id
44 | health_check {
45 | port = local.application_data.accounts[local.environment].tg_apps_port
46 | protocol = "HTTP"
47 | }
48 |
49 | stickiness {
50 | enabled = true
51 | type = "lb_cookie"
52 | cookie_duration = 3600
53 | }
54 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.ebsapps_nlb
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "ebsapps_nlb" {
17 | name = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.ebs_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.ebs_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.ebs_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_lb
File: /ccms-ec2-oracle_webgate-alb.tf:1-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "webgate_lb" {
2 | count = local.is-production ? 1 : 1
3 | name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 | internal = true
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.sg_webgate_lb.id]
7 | subnets = data.aws_subnets.shared-private.ids
8 |
9 | enable_deletion_protection = true
10 |
11 | access_logs {
12 | bucket = module.s3-bucket-logging.bucket.id
13 | prefix = local.lb_log_prefix_wgate
14 | enabled = true
15 | }
16 |
17 | tags = merge(local.tags,
18 | { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
19 | )
20 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg
File: /ccms-ec2-oracle_webgate-alb.tf:40-52
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
40 | resource "aws_lb_target_group" "webgate_tg" {
41 | count = local.is-production ? 1 : 1
42 | name = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
43 | port = 5401
44 | protocol = "HTTP"
45 | vpc_id = data.aws_vpc.shared.id
46 | health_check {
47 | port = 5401
48 | protocol = "HTTP"
49 | matcher = 302
50 | timeout = 10
51 | }
52 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_public_lb
File: /ccms-ec2-oracle_webgate-alb.tf:62-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
62 | resource "aws_lb" "webgate_public_lb" {
63 | name = lower(format("public-alb-webgate"))
64 | internal = false
65 | load_balancer_type = "application"
66 | security_groups = [aws_security_group.sg_webgate_lb.id]
67 | subnets = data.aws_subnets.shared-public.ids
68 |
69 | enable_deletion_protection = true
70 |
71 | access_logs {
72 | bucket = module.s3-bucket-logging.bucket.id
73 | prefix = local.lb_log_prefix_wgate_public
74 | enabled = true
75 | }
76 |
77 | tags = merge(local.tags,
78 | { Name = lower(format("public-alb-webgate")) }
79 | )
80 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg_public
File: /ccms-ec2-oracle_webgate-alb.tf:100-111
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
100 | resource "aws_lb_target_group" "webgate_tg_public" {
101 | name = lower(format("public-alb-webgate-tg"))
102 | port = 5401
103 | protocol = "HTTP"
104 | vpc_id = data.aws_vpc.shared.id
105 | health_check {
106 | port = 5401
107 | protocol = "HTTP"
108 | matcher = 302
109 | timeout = 10
110 | }
111 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.webgate_nlb
File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "webgate_nlb" {
17 | name = lower(format("public-nlb-webgate"))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.webgate_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.webgate_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.webgate_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("public-nlb-webgate")) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.certificate_expiration_alerts
File: /ccms-lambda-certificate-monitor.tf:72-77
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
72 | resource "aws_sns_topic" "certificate_expiration_alerts" {
73 | name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
74 | tags = merge(local.tags, {
75 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
76 | })
77 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.payment_load_notifications
File: /ccms-lambda-monitor-payment-load.tf:42-47
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
42 | resource "aws_sns_topic" "payment_load_notifications" {
43 | name = "${local.application_name}-${local.environment}-payment-load-notifications"
44 | tags = merge(local.tags, {
45 | Name = "${local.application_name}-${local.environment}-payment-load-notifications"
46 | })
47 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket
File: /ccms-s3.tf:2-71
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-logging
File: /ccms-s3.tf:98-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-dbbackup
File: /ccms-s3.tf:190-258
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
FAILED for resource: aws_ses_configuration_set.default_configuration_set
File: /ccms-ses.tf:35-43
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365
35 | resource "aws_ses_configuration_set" "default_configuration_set" {
36 | name = "default-configuration-set"
37 |
38 | delivery_options {
39 | tls_policy = "Optional"
40 | }
41 | reputation_metrics_enabled = true
42 | sending_enabled = true
43 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.cw_alerts
File: /ccms-sns.tf:17-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
17 | resource "aws_sns_topic" "cw_alerts" {
18 | name = "ccms-ebs-ec2-alerts"
19 | #kms_master_key_id = "alias/aws/sns"
20 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.s3_topic
File: /ccms-sns.tf:34-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
34 | resource "aws_sns_topic" "s3_topic" {
35 | name = "s3-event-notification-topic"
36 | policy = data.aws_iam_policy_document.s3_topic_policy.json
37 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.ddos_alarm
File: /ccms-sns.tf:51-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
51 | resource "aws_sns_topic" "ddos_alarm" {
52 | name = format("%s_ddos_alarm", local.application_name)
53 | #kms_master_key_id = "alias/aws/sns"
54 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
File: /ccms-waf.tf:172-211
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2
172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
173 | name = "ebs_waf"
174 | scope = "REGIONAL"
175 | description = "AWS WAF Web ACL for EBS"
176 |
177 | default_action {
178 | block {}
179 | }
180 |
181 | rule {
182 | name = "ebs-trusted-rule"
183 |
184 | priority = 1
185 | action {
186 | allow {}
187 | }
188 |
189 | statement {
190 | ip_set_reference_statement {
191 | arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
192 | }
193 | }
194 |
195 | visibility_config {
196 | cloudwatch_metrics_enabled = true
197 | metric_name = "ebs_waf_metrics"
198 | sampled_requests_enabled = true
199 | }
200 | }
201 |
202 | tags = merge(local.tags,
203 | { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
204 | )
205 |
206 | visibility_config {
207 | cloudwatch_metrics_enabled = true
208 | metric_name = "ebs_waf_metrics"
209 | sampled_requests_enabled = true
210 | }
211 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cw_agent_config
File: /ccms-cloudwatch.tf:28-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted
28 | resource "aws_ssm_parameter" "cw_agent_config" {
29 | description = "cloud watch agent config"
30 | name = "cloud-watch-config"
31 | type = "String"
32 | value = file("./templates/cw_agent_config.json")
33 |
34 | tags = merge(local.tags,
35 | { Name = "cw-config" }
36 | )
37 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.oracle_ec2
File: /ccms-kms.tf:1-7
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64
1 | resource "aws_kms_key" "oracle_ec2" {
2 | enable_key_rotation = true
3 |
4 | tags = merge(local.tags,
5 | { Name = "oracle_ec2" }
6 | )
7 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.ebs_eip
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "ebs_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.webgate_eip
File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "webgate_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:23:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:24:lz_aws_account_id_env="${local.application_data.accounts[local.environment].lz_aws_account_id_env}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:25:lz_ftp_bucket_environment="${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:28:smtp_fqdn="${local.application_data.accounts[local.environment].ses_domain_identity}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:31:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:06:50Z INFO [vulndb] Need to update DB
2025-01-16T17:06:50Z INFO [vulndb] Downloading vulnerability DB...2025-01-16T17:06:50Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:06:52Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:06:52Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:06:52Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:06:52Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:06:52Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2025-01-16T17:06:52Z INFO [secret] Secret scanning is enabled
2025-01-16T17:06:52Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:06:52Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-16T17:06:54Z INFO [terraformscanner] Scanning root module file_path="."2025-01-16T17:06:54Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-16T17:06:54Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_cloudwatch_log_group.groups"value="cty.NilVal"2025-01-16T17:06:54Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_egress_traffic"value="cty.NilVal"2025-01-16T17:06:54Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_ingress_traffic"value="cty.NilVal"2025-01-16T17:06:54Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:06:54Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:06:54Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:06:54Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:06:54Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:06:54Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:06:55Z INFO [terraformscanner] Scanning root module file_path="modules"2025-01-16T17:06:55Z INFO [terraformscanner] Scanning root module file_path="modules/cw-logs"2025-01-16T17:06:57Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2025-01-16T17:06:57Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-user-attached-policies"range="ccms-iam.tf:283-289"2025-01-16T17:06:59Z INFO Number of language-specific files num=02025-01-16T17:06:59Z INFO Detected config files num=29
ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_accessgate" {
2 │ count=local.application_data.accounts[local.environment].accessgate_no_instances3 │ instance_type=local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate4 │ ami=local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index+1}"]
5 │ key_name=local.application_data.accounts[local.environment].key_name6 │ vpc_security_group_ids=[aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id=local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring=true..
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource"aws_lb""ebsapps_lb" {
2 │ name=lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal=false4 │ load_balancer_type="application"5 │ security_groups=[aws_security_group.sg_ebsapps_lb.id]
6 │ subnets=data.aws_subnets.shared-public.ids7 │
8 │ enable_deletion_protection=true9 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1resource"aws_lb""ebsapps_lb" {
.3 [ internal = false..19 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH):Loadbalancerisexposedpublicly.
════════════════════════════════════════
Therearemanyscenariosinwhichyouwouldwanttoexposealoadbalancertothewiderinternet, butthischeckexistsasawarningtopreventaccidentalexposureofinternalassets.Youshouldensurethatthisresourceshouldbeexposedpublicly.Seehttps://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18viaccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16resource"aws_lb""ebsapps_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH):InstancedoesnotrequireIMDSaccesstorequireatoken.
════════════════════════════════════════
IMDSv2 (Instance Metadata Service) introducedsessionauthenticationtokenswhichimprovesecuritywhentalkingtoIMDS.Bydefault<code>aws_instance</code>resourcesetsIMDSsessionauthtokenstobeoptional.TofullyprotectIMDSyouneedtoenablesessiontokensbyusing<code>metadata_options</code>blockandits<code>http_tokens</code>variablesetto<code>required</code>.Seehttps://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring =true9 └ ebs_optimized =false
..
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests:3 (SUCCESSES:0, FAILURES:3)
Failures:3 (HIGH:3, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb""webgate_lb" {
2 │ count = local.is-production ?1:13 │ name =lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal =true5 │ load_balancer_type ="application"6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection =true
..
────────────────────────────────────────
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb""webgate_public_lb" {
63 │ name =lower(format("public-alb-webgate"))
64 │ internal =false65 │ load_balancer_type ="application"66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection =true70 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb""webgate_public_lb" {
..
64 [ internal =false
..
80 }
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb""webgate_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-s3.tf (terraform)
======================
Tests:8 (SUCCESSES:0, FAILURES:8)
Failures:8 (HIGH:8, CRITICAL:0)
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/ccms-ebs
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:26:06Z INFO [vulndb] Need to update DB
2025-01-16T17:26:06Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T17:26:06Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:26:08Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:26:08Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:26:08Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:26:08Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:26:08Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:26:08Z INFO [secret] Secret scanning is enabled
2025-01-16T17:26:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:26:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:26:10Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T17:26:10Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T17:26:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2025-01-16T17:26:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2025-01-16T17:26:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2025-01-16T17:26:11Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:26:11Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:26:11Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:26:11Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:26:11Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:26:11Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:26:11Z INFO [terraform scanner] Scanning root module file_path="modules"
2025-01-16T17:26:11Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2025-01-16T17:26:14Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2025-01-16T17:26:14Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2025-01-16T17:26:15Z INFO Number of language-specific files num=0
2025-01-16T17:26:15Z INFO Detected config files num=29
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 17:26:18,016 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 967, Failed checks: 83, Skipped checks: 3
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
File: /ccms-cloudwatch.tf:54-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.groups
File: /ccms-cloudwatch.tf:15-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
15 | resource "aws_cloudwatch_log_group" "groups" {
16 | for_each = local.application_data.cw_log_groups
17 | name = each.key
18 | retention_in_days = each.value.retention_days
19 |
20 | tags = merge(
21 | local.tags,
22 | {
23 | Name = each.key
24 | },
25 | )
26 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ftp
File: /ccms-ec2-ftp.tf:1-67
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_mailrelay
File: /ccms-ec2-mailrelay.tf:2-57
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.ebsapps_lb
File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "ebsapps_lb" {
2 | name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 | subnets = data.aws_subnets.shared-public.ids
7 |
8 | enable_deletion_protection = true
9 |
10 | access_logs {
11 | bucket = module.s3-bucket-logging.bucket.id
12 | prefix = local.lb_log_prefix_ebsapp
13 | enabled = true
14 | }
15 |
16 | tags = merge(local.tags,
17 | { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
18 | )
19 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.ebsapp_tg
File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
39 | resource "aws_lb_target_group" "ebsapp_tg" {
40 | name = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
41 | port = local.application_data.accounts[local.environment].tg_apps_port
42 | protocol = "HTTP"
43 | vpc_id = data.aws_vpc.shared.id
44 | health_check {
45 | port = local.application_data.accounts[local.environment].tg_apps_port
46 | protocol = "HTTP"
47 | }
48 |
49 | stickiness {
50 | enabled = true
51 | type = "lb_cookie"
52 | cookie_duration = 3600
53 | }
54 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.ebsapps_nlb
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "ebsapps_nlb" {
17 | name = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.ebs_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.ebs_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.ebs_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_lb
File: /ccms-ec2-oracle_webgate-alb.tf:1-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "webgate_lb" {
2 | count = local.is-production ? 1 : 1
3 | name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 | internal = true
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.sg_webgate_lb.id]
7 | subnets = data.aws_subnets.shared-private.ids
8 |
9 | enable_deletion_protection = true
10 |
11 | access_logs {
12 | bucket = module.s3-bucket-logging.bucket.id
13 | prefix = local.lb_log_prefix_wgate
14 | enabled = true
15 | }
16 |
17 | tags = merge(local.tags,
18 | { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
19 | )
20 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg
File: /ccms-ec2-oracle_webgate-alb.tf:40-52
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
40 | resource "aws_lb_target_group" "webgate_tg" {
41 | count = local.is-production ? 1 : 1
42 | name = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
43 | port = 5401
44 | protocol = "HTTP"
45 | vpc_id = data.aws_vpc.shared.id
46 | health_check {
47 | port = 5401
48 | protocol = "HTTP"
49 | matcher = 302
50 | timeout = 10
51 | }
52 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_public_lb
File: /ccms-ec2-oracle_webgate-alb.tf:62-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
62 | resource "aws_lb" "webgate_public_lb" {
63 | name = lower(format("public-alb-webgate"))
64 | internal = false
65 | load_balancer_type = "application"
66 | security_groups = [aws_security_group.sg_webgate_lb.id]
67 | subnets = data.aws_subnets.shared-public.ids
68 |
69 | enable_deletion_protection = true
70 |
71 | access_logs {
72 | bucket = module.s3-bucket-logging.bucket.id
73 | prefix = local.lb_log_prefix_wgate_public
74 | enabled = true
75 | }
76 |
77 | tags = merge(local.tags,
78 | { Name = lower(format("public-alb-webgate")) }
79 | )
80 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg_public
File: /ccms-ec2-oracle_webgate-alb.tf:100-111
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
100 | resource "aws_lb_target_group" "webgate_tg_public" {
101 | name = lower(format("public-alb-webgate-tg"))
102 | port = 5401
103 | protocol = "HTTP"
104 | vpc_id = data.aws_vpc.shared.id
105 | health_check {
106 | port = 5401
107 | protocol = "HTTP"
108 | matcher = 302
109 | timeout = 10
110 | }
111 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.webgate_nlb
File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "webgate_nlb" {
17 | name = lower(format("public-nlb-webgate"))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.webgate_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.webgate_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.webgate_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("public-nlb-webgate")) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.certificate_expiration_alerts
File: /ccms-lambda-certificate-monitor.tf:72-77
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
72 | resource "aws_sns_topic" "certificate_expiration_alerts" {
73 | name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
74 | tags = merge(local.tags, {
75 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
76 | })
77 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.payment_load_notifications
File: /ccms-lambda-monitor-payment-load.tf:42-47
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
42 | resource "aws_sns_topic" "payment_load_notifications" {
43 | name = "${local.application_name}-${local.environment}-payment-load-notifications"
44 | tags = merge(local.tags, {
45 | Name = "${local.application_name}-${local.environment}-payment-load-notifications"
46 | })
47 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket
File: /ccms-s3.tf:2-71
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-logging
File: /ccms-s3.tf:98-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-dbbackup
File: /ccms-s3.tf:190-258
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
FAILED for resource: aws_ses_configuration_set.default_configuration_set
File: /ccms-ses.tf:35-43
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365
35 | resource "aws_ses_configuration_set" "default_configuration_set" {
36 | name = "default-configuration-set"
37 |
38 | delivery_options {
39 | tls_policy = "Optional"
40 | }
41 | reputation_metrics_enabled = true
42 | sending_enabled = true
43 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.cw_alerts
File: /ccms-sns.tf:17-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
17 | resource "aws_sns_topic" "cw_alerts" {
18 | name = "ccms-ebs-ec2-alerts"
19 | #kms_master_key_id = "alias/aws/sns"
20 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.s3_topic
File: /ccms-sns.tf:34-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
34 | resource "aws_sns_topic" "s3_topic" {
35 | name = "s3-event-notification-topic"
36 | policy = data.aws_iam_policy_document.s3_topic_policy.json
37 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.ddos_alarm
File: /ccms-sns.tf:51-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
51 | resource "aws_sns_topic" "ddos_alarm" {
52 | name = format("%s_ddos_alarm", local.application_name)
53 | #kms_master_key_id = "alias/aws/sns"
54 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
File: /ccms-waf.tf:172-211
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2
172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
173 | name = "ebs_waf"
174 | scope = "REGIONAL"
175 | description = "AWS WAF Web ACL for EBS"
176 |
177 | default_action {
178 | block {}
179 | }
180 |
181 | rule {
182 | name = "ebs-trusted-rule"
183 |
184 | priority = 1
185 | action {
186 | allow {}
187 | }
188 |
189 | statement {
190 | ip_set_reference_statement {
191 | arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
192 | }
193 | }
194 |
195 | visibility_config {
196 | cloudwatch_metrics_enabled = true
197 | metric_name = "ebs_waf_metrics"
198 | sampled_requests_enabled = true
199 | }
200 | }
201 |
202 | tags = merge(local.tags,
203 | { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
204 | )
205 |
206 | visibility_config {
207 | cloudwatch_metrics_enabled = true
208 | metric_name = "ebs_waf_metrics"
209 | sampled_requests_enabled = true
210 | }
211 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cw_agent_config
File: /ccms-cloudwatch.tf:28-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted
28 | resource "aws_ssm_parameter" "cw_agent_config" {
29 | description = "cloud watch agent config"
30 | name = "cloud-watch-config"
31 | type = "String"
32 | value = file("./templates/cw_agent_config.json")
33 |
34 | tags = merge(local.tags,
35 | { Name = "cw-config" }
36 | )
37 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.oracle_ec2
File: /ccms-kms.tf:1-7
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64
1 | resource "aws_kms_key" "oracle_ec2" {
2 | enable_key_rotation = true
3 |
4 | tags = merge(local.tags,
5 | { Name = "oracle_ec2" }
6 | )
7 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.ebs_eip
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "ebs_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.webgate_eip
File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "webgate_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:23:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:24:lz_aws_account_id_env="${local.application_data.accounts[local.environment].lz_aws_account_id_env}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:25:lz_ftp_bucket_environment="${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:28:smtp_fqdn="${local.application_data.accounts[local.environment].ses_domain_identity}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:31:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:26:06Z INFO [vulndb] Need to update DB
2025-01-16T17:26:06Z INFO [vulndb] Downloading vulnerability DB...2025-01-16T17:26:06Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:26:08Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:26:08Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:26:08Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:26:08Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:26:08Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2025-01-16T17:26:08Z INFO [secret] Secret scanning is enabled
2025-01-16T17:26:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:26:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-16T17:26:10Z INFO [terraformscanner] Scanning root module file_path="."2025-01-16T17:26:10Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-16T17:26:11Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_cloudwatch_log_group.groups"value="cty.NilVal"2025-01-16T17:26:11Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_egress_traffic"value="cty.NilVal"2025-01-16T17:26:11Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_ingress_traffic"value="cty.NilVal"2025-01-16T17:26:11Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:26:11Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:26:11Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:26:11Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:26:11Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:26:11Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:26:11Z INFO [terraformscanner] Scanning root module file_path="modules"2025-01-16T17:26:11Z INFO [terraformscanner] Scanning root module file_path="modules/cw-logs"2025-01-16T17:26:14Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-user-attached-policies"range="ccms-iam.tf:283-289"2025-01-16T17:26:14Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2025-01-16T17:26:15Z INFO Number of language-specific files num=02025-01-16T17:26:15Z INFO Detected config files num=29
ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_accessgate" {
2 │ count=local.application_data.accounts[local.environment].accessgate_no_instances3 │ instance_type=local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate4 │ ami=local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index+1}"]
5 │ key_name=local.application_data.accounts[local.environment].key_name6 │ vpc_security_group_ids=[aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id=local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring=true..
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource"aws_lb""ebsapps_lb" {
2 │ name=lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal=false4 │ load_balancer_type="application"5 │ security_groups=[aws_security_group.sg_ebsapps_lb.id]
6 │ subnets=data.aws_subnets.shared-public.ids7 │
8 │ enable_deletion_protection=true9 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1resource"aws_lb""ebsapps_lb" {
.3 [ internal = false..19 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH):Loadbalancerisexposedpublicly.
════════════════════════════════════════
Therearemanyscenariosinwhichyouwouldwanttoexposealoadbalancertothewiderinternet, butthischeckexistsasawarningtopreventaccidentalexposureofinternalassets.Youshouldensurethatthisresourceshouldbeexposedpublicly.Seehttps://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18viaccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16resource"aws_lb""ebsapps_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH):InstancedoesnotrequireIMDSaccesstorequireatoken.
════════════════════════════════════════
IMDSv2 (Instance Metadata Service) introducedsessionauthenticationtokenswhichimprovesecuritywhentalkingtoIMDS.Bydefault<code>aws_instance</code>resourcesetsIMDSsessionauthtokenstobeoptional.TofullyprotectIMDSyouneedtoenablesessiontokensbyusing<code>metadata_options</code>blockandits<code>http_tokens</code>variablesetto<code>required</code>.Seehttps://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring =true9 └ ebs_optimized =false
..
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests:3 (SUCCESSES:0, FAILURES:3)
Failures:3 (HIGH:3, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb""webgate_lb" {
2 │ count = local.is-production ?1:13 │ name =lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal =true5 │ load_balancer_type ="application"6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection =true
..
────────────────────────────────────────
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb""webgate_public_lb" {
63 │ name =lower(format("public-alb-webgate"))
64 │ internal =false65 │ load_balancer_type ="application"66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection =true70 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb""webgate_public_lb" {
..
64 [ internal =false
..
80 }
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb""webgate_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-s3.tf (terraform)
======================
Tests:8 (SUCCESSES:0, FAILURES:8)
Failures:8 (HIGH:8, CRITICAL:0)
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/ccms-ebs
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:47:42Z INFO [vulndb] Need to update DB
2025-01-16T17:47:42Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T17:47:42Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:47:44Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:47:44Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:47:44Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:47:44Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:47:44Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-16T17:47:44Z INFO [secret] Secret scanning is enabled
2025-01-16T17:47:44Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:47:44Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:47:45Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T17:47:46Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T17:47:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2025-01-16T17:47:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2025-01-16T17:47:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2025-01-16T17:47:46Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:47:46Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:47:46Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:47:46Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:47:46Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:47:46Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:47:46Z INFO [terraform scanner] Scanning root module file_path="modules"
2025-01-16T17:47:46Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2025-01-16T17:47:49Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2025-01-16T17:47:49Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2025-01-16T17:47:50Z INFO Number of language-specific files num=0
2025-01-16T17:47:50Z INFO Detected config files num=29
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 17:47:53,320 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 969, Failed checks: 83, Skipped checks: 3
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.groups
File: /ccms-cloudwatch.tf:15-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
15 | resource "aws_cloudwatch_log_group" "groups" {
16 | for_each = local.application_data.cw_log_groups
17 | name = each.key
18 | retention_in_days = each.value.retention_days
19 |
20 | tags = merge(
21 | local.tags,
22 | {
23 | Name = each.key
24 | },
25 | )
26 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
File: /ccms-cloudwatch.tf:54-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ftp
File: /ccms-ec2-ftp.tf:1-67
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_mailrelay
File: /ccms-ec2-mailrelay.tf:2-57
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.ebsapps_lb
File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "ebsapps_lb" {
2 | name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 | subnets = data.aws_subnets.shared-public.ids
7 |
8 | enable_deletion_protection = true
9 |
10 | access_logs {
11 | bucket = module.s3-bucket-logging.bucket.id
12 | prefix = local.lb_log_prefix_ebsapp
13 | enabled = true
14 | }
15 |
16 | tags = merge(local.tags,
17 | { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
18 | )
19 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.ebsapp_tg
File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
39 | resource "aws_lb_target_group" "ebsapp_tg" {
40 | name = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
41 | port = local.application_data.accounts[local.environment].tg_apps_port
42 | protocol = "HTTP"
43 | vpc_id = data.aws_vpc.shared.id
44 | health_check {
45 | port = local.application_data.accounts[local.environment].tg_apps_port
46 | protocol = "HTTP"
47 | }
48 |
49 | stickiness {
50 | enabled = true
51 | type = "lb_cookie"
52 | cookie_duration = 3600
53 | }
54 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.ebsapps_nlb
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "ebsapps_nlb" {
17 | name = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.ebs_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.ebs_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.ebs_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_lb
File: /ccms-ec2-oracle_webgate-alb.tf:1-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "webgate_lb" {
2 | count = local.is-production ? 1 : 1
3 | name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 | internal = true
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.sg_webgate_lb.id]
7 | subnets = data.aws_subnets.shared-private.ids
8 |
9 | enable_deletion_protection = true
10 |
11 | access_logs {
12 | bucket = module.s3-bucket-logging.bucket.id
13 | prefix = local.lb_log_prefix_wgate
14 | enabled = true
15 | }
16 |
17 | tags = merge(local.tags,
18 | { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
19 | )
20 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg
File: /ccms-ec2-oracle_webgate-alb.tf:40-52
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
40 | resource "aws_lb_target_group" "webgate_tg" {
41 | count = local.is-production ? 1 : 1
42 | name = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
43 | port = 5401
44 | protocol = "HTTP"
45 | vpc_id = data.aws_vpc.shared.id
46 | health_check {
47 | port = 5401
48 | protocol = "HTTP"
49 | matcher = 302
50 | timeout = 10
51 | }
52 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_public_lb
File: /ccms-ec2-oracle_webgate-alb.tf:62-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
62 | resource "aws_lb" "webgate_public_lb" {
63 | name = lower(format("public-alb-webgate"))
64 | internal = false
65 | load_balancer_type = "application"
66 | security_groups = [aws_security_group.sg_webgate_lb.id]
67 | subnets = data.aws_subnets.shared-public.ids
68 |
69 | enable_deletion_protection = true
70 |
71 | access_logs {
72 | bucket = module.s3-bucket-logging.bucket.id
73 | prefix = local.lb_log_prefix_wgate_public
74 | enabled = true
75 | }
76 |
77 | tags = merge(local.tags,
78 | { Name = lower(format("public-alb-webgate")) }
79 | )
80 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg_public
File: /ccms-ec2-oracle_webgate-alb.tf:100-111
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
100 | resource "aws_lb_target_group" "webgate_tg_public" {
101 | name = lower(format("public-alb-webgate-tg"))
102 | port = 5401
103 | protocol = "HTTP"
104 | vpc_id = data.aws_vpc.shared.id
105 | health_check {
106 | port = 5401
107 | protocol = "HTTP"
108 | matcher = 302
109 | timeout = 10
110 | }
111 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.webgate_nlb
File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "webgate_nlb" {
17 | name = lower(format("public-nlb-webgate"))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.webgate_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.webgate_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.webgate_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("public-nlb-webgate")) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.certificate_expiration_alerts
File: /ccms-lambda-certificate-monitor.tf:72-77
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
72 | resource "aws_sns_topic" "certificate_expiration_alerts" {
73 | name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
74 | tags = merge(local.tags, {
75 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
76 | })
77 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.payment_load_notifications
File: /ccms-lambda-monitor-payment-load.tf:42-47
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
42 | resource "aws_sns_topic" "payment_load_notifications" {
43 | name = "${local.application_name}-${local.environment}-payment-load-notifications"
44 | tags = merge(local.tags, {
45 | Name = "${local.application_name}-${local.environment}-payment-load-notifications"
46 | })
47 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket
File: /ccms-s3.tf:2-71
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-logging
File: /ccms-s3.tf:98-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-dbbackup
File: /ccms-s3.tf:190-258
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
FAILED for resource: aws_ses_configuration_set.default_configuration_set
File: /ccms-ses.tf:35-43
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365
35 | resource "aws_ses_configuration_set" "default_configuration_set" {
36 | name = "default-configuration-set"
37 |
38 | delivery_options {
39 | tls_policy = "Optional"
40 | }
41 | reputation_metrics_enabled = true
42 | sending_enabled = true
43 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.cw_alerts
File: /ccms-sns.tf:17-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
17 | resource "aws_sns_topic" "cw_alerts" {
18 | name = "ccms-ebs-ec2-alerts"
19 | #kms_master_key_id = "alias/aws/sns"
20 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.s3_topic
File: /ccms-sns.tf:34-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
34 | resource "aws_sns_topic" "s3_topic" {
35 | name = "s3-event-notification-topic"
36 | policy = data.aws_iam_policy_document.s3_topic_policy.json
37 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.ddos_alarm
File: /ccms-sns.tf:51-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
51 | resource "aws_sns_topic" "ddos_alarm" {
52 | name = format("%s_ddos_alarm", local.application_name)
53 | #kms_master_key_id = "alias/aws/sns"
54 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
File: /ccms-waf.tf:172-211
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2
172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
173 | name = "ebs_waf"
174 | scope = "REGIONAL"
175 | description = "AWS WAF Web ACL for EBS"
176 |
177 | default_action {
178 | block {}
179 | }
180 |
181 | rule {
182 | name = "ebs-trusted-rule"
183 |
184 | priority = 1
185 | action {
186 | allow {}
187 | }
188 |
189 | statement {
190 | ip_set_reference_statement {
191 | arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
192 | }
193 | }
194 |
195 | visibility_config {
196 | cloudwatch_metrics_enabled = true
197 | metric_name = "ebs_waf_metrics"
198 | sampled_requests_enabled = true
199 | }
200 | }
201 |
202 | tags = merge(local.tags,
203 | { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
204 | )
205 |
206 | visibility_config {
207 | cloudwatch_metrics_enabled = true
208 | metric_name = "ebs_waf_metrics"
209 | sampled_requests_enabled = true
210 | }
211 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cw_agent_config
File: /ccms-cloudwatch.tf:28-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted
28 | resource "aws_ssm_parameter" "cw_agent_config" {
29 | description = "cloud watch agent config"
30 | name = "cloud-watch-config"
31 | type = "String"
32 | value = file("./templates/cw_agent_config.json")
33 |
34 | tags = merge(local.tags,
35 | { Name = "cw-config" }
36 | )
37 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.oracle_ec2
File: /ccms-kms.tf:1-7
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64
1 | resource "aws_kms_key" "oracle_ec2" {
2 | enable_key_rotation = true
3 |
4 | tags = merge(local.tags,
5 | { Name = "oracle_ec2" }
6 | )
7 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.ebs_eip
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "ebs_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.webgate_eip
File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "webgate_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:23:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:24:lz_aws_account_id_env="${local.application_data.accounts[local.environment].lz_aws_account_id_env}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:25:lz_ftp_bucket_environment="${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:28:smtp_fqdn="${local.application_data.accounts[local.environment].ses_domain_identity}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:31:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:47:42Z INFO [vulndb] Need to update DB
2025-01-16T17:47:42Z INFO [vulndb] Downloading vulnerability DB...2025-01-16T17:47:42Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:47:44Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:47:44Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:47:44Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:47:44Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:47:44Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [---------------------------------------------------------] 100.00%? p/s 0s2025-01-16T17:47:44Z INFO [secret] Secret scanning is enabled
2025-01-16T17:47:44Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:47:44Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-16T17:47:45Z INFO [terraformscanner] Scanning root module file_path="."2025-01-16T17:47:46Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-16T17:47:46Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_cloudwatch_log_group.groups"value="cty.NilVal"2025-01-16T17:47:46Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_egress_traffic"value="cty.NilVal"2025-01-16T17:47:46Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_ingress_traffic"value="cty.NilVal"2025-01-16T17:47:46Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:47:46Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:47:46Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:47:46Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:47:46Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:47:46Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:47:46Z INFO [terraformscanner] Scanning root module file_path="modules"2025-01-16T17:47:46Z INFO [terraformscanner] Scanning root module file_path="modules/cw-logs"2025-01-16T17:47:49Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2025-01-16T17:47:49Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-user-attached-policies"range="ccms-iam.tf:283-289"2025-01-16T17:47:50Z INFO Number of language-specific files num=02025-01-16T17:47:50Z INFO Detected config files num=29
ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_accessgate" {
2 │ count=local.application_data.accounts[local.environment].accessgate_no_instances3 │ instance_type=local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate4 │ ami=local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index+1}"]
5 │ key_name=local.application_data.accounts[local.environment].key_name6 │ vpc_security_group_ids=[aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id=local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring=true..
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource"aws_lb""ebsapps_lb" {
2 │ name=lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal=false4 │ load_balancer_type="application"5 │ security_groups=[aws_security_group.sg_ebsapps_lb.id]
6 │ subnets=data.aws_subnets.shared-public.ids7 │
8 │ enable_deletion_protection=true9 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1resource"aws_lb""ebsapps_lb" {
.3 [ internal = false..19 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH):Loadbalancerisexposedpublicly.
════════════════════════════════════════
Therearemanyscenariosinwhichyouwouldwanttoexposealoadbalancertothewiderinternet, butthischeckexistsasawarningtopreventaccidentalexposureofinternalassets.Youshouldensurethatthisresourceshouldbeexposedpublicly.Seehttps://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18viaccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16resource"aws_lb""ebsapps_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH):InstancedoesnotrequireIMDSaccesstorequireatoken.
════════════════════════════════════════
IMDSv2 (Instance Metadata Service) introducedsessionauthenticationtokenswhichimprovesecuritywhentalkingtoIMDS.Bydefault<code>aws_instance</code>resourcesetsIMDSsessionauthtokenstobeoptional.TofullyprotectIMDSyouneedtoenablesessiontokensbyusing<code>metadata_options</code>blockandits<code>http_tokens</code>variablesetto<code>required</code>.Seehttps://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring =true9 └ ebs_optimized =false
..
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests:3 (SUCCESSES:0, FAILURES:3)
Failures:3 (HIGH:3, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb""webgate_lb" {
2 │ count = local.is-production ?1:13 │ name =lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal =true5 │ load_balancer_type ="application"6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection =true
..
────────────────────────────────────────
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb""webgate_public_lb" {
63 │ name =lower(format("public-alb-webgate"))
64 │ internal =false65 │ load_balancer_type ="application"66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection =true70 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb""webgate_public_lb" {
..
64 [ internal =false
..
80 }
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb""webgate_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-s3.tf (terraform)
======================
Tests:8 (SUCCESSES:0, FAILURES:8)
Failures:8 (HIGH:8, CRITICAL:0)
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/ccms-ebs
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:51:06Z INFO [vulndb] Need to update DB
2025-01-16T17:51:06Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T17:51:06Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:51:08Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:51:08Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:51:08Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:51:08Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:51:08Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:51:08Z INFO [secret] Secret scanning is enabled
2025-01-16T17:51:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:51:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:51:10Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T17:51:10Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T17:51:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2025-01-16T17:51:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2025-01-16T17:51:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2025-01-16T17:51:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:51:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:51:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:51:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:51:11Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:51:11Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:51:11Z INFO [terraform scanner] Scanning root module file_path="modules"
2025-01-16T17:51:11Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2025-01-16T17:51:14Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2025-01-16T17:51:14Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2025-01-16T17:51:14Z INFO Number of language-specific files num=0
2025-01-16T17:51:14Z INFO Detected config files num=29
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 17:51:17,500 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 969, Failed checks: 83, Skipped checks: 3
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
File: /ccms-cloudwatch.tf:54-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.groups
File: /ccms-cloudwatch.tf:15-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
15 | resource "aws_cloudwatch_log_group" "groups" {
16 | for_each = local.application_data.cw_log_groups
17 | name = each.key
18 | retention_in_days = each.value.retention_days
19 |
20 | tags = merge(
21 | local.tags,
22 | {
23 | Name = each.key
24 | },
25 | )
26 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ftp
File: /ccms-ec2-ftp.tf:1-67
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_mailrelay
File: /ccms-ec2-mailrelay.tf:2-57
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.ebsapps_lb
File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "ebsapps_lb" {
2 | name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 | subnets = data.aws_subnets.shared-public.ids
7 |
8 | enable_deletion_protection = true
9 |
10 | access_logs {
11 | bucket = module.s3-bucket-logging.bucket.id
12 | prefix = local.lb_log_prefix_ebsapp
13 | enabled = true
14 | }
15 |
16 | tags = merge(local.tags,
17 | { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
18 | )
19 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.ebsapp_tg
File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
39 | resource "aws_lb_target_group" "ebsapp_tg" {
40 | name = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
41 | port = local.application_data.accounts[local.environment].tg_apps_port
42 | protocol = "HTTP"
43 | vpc_id = data.aws_vpc.shared.id
44 | health_check {
45 | port = local.application_data.accounts[local.environment].tg_apps_port
46 | protocol = "HTTP"
47 | }
48 |
49 | stickiness {
50 | enabled = true
51 | type = "lb_cookie"
52 | cookie_duration = 3600
53 | }
54 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.ebsapps_nlb
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "ebsapps_nlb" {
17 | name = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.ebs_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.ebs_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.ebs_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_lb
File: /ccms-ec2-oracle_webgate-alb.tf:1-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "webgate_lb" {
2 | count = local.is-production ? 1 : 1
3 | name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 | internal = true
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.sg_webgate_lb.id]
7 | subnets = data.aws_subnets.shared-private.ids
8 |
9 | enable_deletion_protection = true
10 |
11 | access_logs {
12 | bucket = module.s3-bucket-logging.bucket.id
13 | prefix = local.lb_log_prefix_wgate
14 | enabled = true
15 | }
16 |
17 | tags = merge(local.tags,
18 | { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
19 | )
20 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg
File: /ccms-ec2-oracle_webgate-alb.tf:40-52
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
40 | resource "aws_lb_target_group" "webgate_tg" {
41 | count = local.is-production ? 1 : 1
42 | name = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
43 | port = 5401
44 | protocol = "HTTP"
45 | vpc_id = data.aws_vpc.shared.id
46 | health_check {
47 | port = 5401
48 | protocol = "HTTP"
49 | matcher = 302
50 | timeout = 10
51 | }
52 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_public_lb
File: /ccms-ec2-oracle_webgate-alb.tf:62-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
62 | resource "aws_lb" "webgate_public_lb" {
63 | name = lower(format("public-alb-webgate"))
64 | internal = false
65 | load_balancer_type = "application"
66 | security_groups = [aws_security_group.sg_webgate_lb.id]
67 | subnets = data.aws_subnets.shared-public.ids
68 |
69 | enable_deletion_protection = true
70 |
71 | access_logs {
72 | bucket = module.s3-bucket-logging.bucket.id
73 | prefix = local.lb_log_prefix_wgate_public
74 | enabled = true
75 | }
76 |
77 | tags = merge(local.tags,
78 | { Name = lower(format("public-alb-webgate")) }
79 | )
80 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg_public
File: /ccms-ec2-oracle_webgate-alb.tf:100-111
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
100 | resource "aws_lb_target_group" "webgate_tg_public" {
101 | name = lower(format("public-alb-webgate-tg"))
102 | port = 5401
103 | protocol = "HTTP"
104 | vpc_id = data.aws_vpc.shared.id
105 | health_check {
106 | port = 5401
107 | protocol = "HTTP"
108 | matcher = 302
109 | timeout = 10
110 | }
111 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.webgate_nlb
File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "webgate_nlb" {
17 | name = lower(format("public-nlb-webgate"))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.webgate_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.webgate_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.webgate_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("public-nlb-webgate")) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.certificate_expiration_alerts
File: /ccms-lambda-certificate-monitor.tf:72-77
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
72 | resource "aws_sns_topic" "certificate_expiration_alerts" {
73 | name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
74 | tags = merge(local.tags, {
75 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
76 | })
77 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.payment_load_notifications
File: /ccms-lambda-monitor-payment-load.tf:42-47
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
42 | resource "aws_sns_topic" "payment_load_notifications" {
43 | name = "${local.application_name}-${local.environment}-payment-load-notifications"
44 | tags = merge(local.tags, {
45 | Name = "${local.application_name}-${local.environment}-payment-load-notifications"
46 | })
47 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket
File: /ccms-s3.tf:2-71
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-logging
File: /ccms-s3.tf:98-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-dbbackup
File: /ccms-s3.tf:190-258
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
FAILED for resource: aws_ses_configuration_set.default_configuration_set
File: /ccms-ses.tf:35-43
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365
35 | resource "aws_ses_configuration_set" "default_configuration_set" {
36 | name = "default-configuration-set"
37 |
38 | delivery_options {
39 | tls_policy = "Optional"
40 | }
41 | reputation_metrics_enabled = true
42 | sending_enabled = true
43 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.cw_alerts
File: /ccms-sns.tf:17-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
17 | resource "aws_sns_topic" "cw_alerts" {
18 | name = "ccms-ebs-ec2-alerts"
19 | #kms_master_key_id = "alias/aws/sns"
20 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.s3_topic
File: /ccms-sns.tf:34-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
34 | resource "aws_sns_topic" "s3_topic" {
35 | name = "s3-event-notification-topic"
36 | policy = data.aws_iam_policy_document.s3_topic_policy.json
37 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.ddos_alarm
File: /ccms-sns.tf:51-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
51 | resource "aws_sns_topic" "ddos_alarm" {
52 | name = format("%s_ddos_alarm", local.application_name)
53 | #kms_master_key_id = "alias/aws/sns"
54 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
File: /ccms-waf.tf:172-211
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2
172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
173 | name = "ebs_waf"
174 | scope = "REGIONAL"
175 | description = "AWS WAF Web ACL for EBS"
176 |
177 | default_action {
178 | block {}
179 | }
180 |
181 | rule {
182 | name = "ebs-trusted-rule"
183 |
184 | priority = 1
185 | action {
186 | allow {}
187 | }
188 |
189 | statement {
190 | ip_set_reference_statement {
191 | arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
192 | }
193 | }
194 |
195 | visibility_config {
196 | cloudwatch_metrics_enabled = true
197 | metric_name = "ebs_waf_metrics"
198 | sampled_requests_enabled = true
199 | }
200 | }
201 |
202 | tags = merge(local.tags,
203 | { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
204 | )
205 |
206 | visibility_config {
207 | cloudwatch_metrics_enabled = true
208 | metric_name = "ebs_waf_metrics"
209 | sampled_requests_enabled = true
210 | }
211 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cw_agent_config
File: /ccms-cloudwatch.tf:28-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted
28 | resource "aws_ssm_parameter" "cw_agent_config" {
29 | description = "cloud watch agent config"
30 | name = "cloud-watch-config"
31 | type = "String"
32 | value = file("./templates/cw_agent_config.json")
33 |
34 | tags = merge(local.tags,
35 | { Name = "cw-config" }
36 | )
37 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.oracle_ec2
File: /ccms-kms.tf:1-7
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64
1 | resource "aws_kms_key" "oracle_ec2" {
2 | enable_key_rotation = true
3 |
4 | tags = merge(local.tags,
5 | { Name = "oracle_ec2" }
6 | )
7 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.ebs_eip
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "ebs_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.webgate_eip
File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "webgate_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:23:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:24:lz_aws_account_id_env="${local.application_data.accounts[local.environment].lz_aws_account_id_env}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:25:lz_ftp_bucket_environment="${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:28:smtp_fqdn="${local.application_data.accounts[local.environment].ses_domain_identity}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:31:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:51:06Z INFO [vulndb] Need to update DB
2025-01-16T17:51:06Z INFO [vulndb] Downloading vulnerability DB...2025-01-16T17:51:06Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:51:08Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:51:08Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:51:08Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:51:08Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:51:08Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2025-01-16T17:51:08Z INFO [secret] Secret scanning is enabled
2025-01-16T17:51:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:51:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-16T17:51:10Z INFO [terraformscanner] Scanning root module file_path="."2025-01-16T17:51:10Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-16T17:51:10Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_cloudwatch_log_group.groups"value="cty.NilVal"2025-01-16T17:51:10Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_egress_traffic"value="cty.NilVal"2025-01-16T17:51:10Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_ingress_traffic"value="cty.NilVal"2025-01-16T17:51:10Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:51:10Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:51:10Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:51:10Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:51:11Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:51:11Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:51:11Z INFO [terraformscanner] Scanning root module file_path="modules"2025-01-16T17:51:11Z INFO [terraformscanner] Scanning root module file_path="modules/cw-logs"2025-01-16T17:51:14Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2025-01-16T17:51:14Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-user-attached-policies"range="ccms-iam.tf:283-289"2025-01-16T17:51:14Z INFO Number of language-specific files num=02025-01-16T17:51:14Z INFO Detected config files num=29
ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_accessgate" {
2 │ count=local.application_data.accounts[local.environment].accessgate_no_instances3 │ instance_type=local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate4 │ ami=local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index+1}"]
5 │ key_name=local.application_data.accounts[local.environment].key_name6 │ vpc_security_group_ids=[aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id=local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring=true..
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource"aws_lb""ebsapps_lb" {
2 │ name=lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal=false4 │ load_balancer_type="application"5 │ security_groups=[aws_security_group.sg_ebsapps_lb.id]
6 │ subnets=data.aws_subnets.shared-public.ids7 │
8 │ enable_deletion_protection=true9 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1resource"aws_lb""ebsapps_lb" {
.3 [ internal = false..19 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH):Loadbalancerisexposedpublicly.
════════════════════════════════════════
Therearemanyscenariosinwhichyouwouldwanttoexposealoadbalancertothewiderinternet, butthischeckexistsasawarningtopreventaccidentalexposureofinternalassets.Youshouldensurethatthisresourceshouldbeexposedpublicly.Seehttps://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18viaccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16resource"aws_lb""ebsapps_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH):InstancedoesnotrequireIMDSaccesstorequireatoken.
════════════════════════════════════════
IMDSv2 (Instance Metadata Service) introducedsessionauthenticationtokenswhichimprovesecuritywhentalkingtoIMDS.Bydefault<code>aws_instance</code>resourcesetsIMDSsessionauthtokenstobeoptional.TofullyprotectIMDSyouneedtoenablesessiontokensbyusing<code>metadata_options</code>blockandits<code>http_tokens</code>variablesetto<code>required</code>.Seehttps://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring =true9 └ ebs_optimized =false
..
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests:3 (SUCCESSES:0, FAILURES:3)
Failures:3 (HIGH:3, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb""webgate_lb" {
2 │ count = local.is-production ?1:13 │ name =lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal =true5 │ load_balancer_type ="application"6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection =true
..
────────────────────────────────────────
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb""webgate_public_lb" {
63 │ name =lower(format("public-alb-webgate"))
64 │ internal =false65 │ load_balancer_type ="application"66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection =true70 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb""webgate_public_lb" {
..
64 [ internal =false
..
80 }
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb""webgate_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-s3.tf (terraform)
======================
Tests:8 (SUCCESSES:0, FAILURES:8)
Failures:8 (HIGH:8, CRITICAL:0)
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/ccms-ebs
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:53:44Z INFO [vulndb] Need to update DB
2025-01-16T17:53:44Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T17:53:44Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:53:47Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:53:47Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:53:47Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:53:47Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:53:47Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-16T17:53:47Z INFO [secret] Secret scanning is enabled
2025-01-16T17:53:47Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:53:47Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:53:49Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T17:53:49Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T17:53:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2025-01-16T17:53:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2025-01-16T17:53:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2025-01-16T17:53:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:53:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:53:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:53:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:53:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:53:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-16T17:53:50Z INFO [terraform scanner] Scanning root module file_path="modules"
2025-01-16T17:53:50Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2025-01-16T17:53:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2025-01-16T17:53:53Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="ccms-iam.tf:283-289"
2025-01-16T17:53:54Z INFO Number of language-specific files num=0
2025-01-16T17:53:54Z INFO Detected config files num=29
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Checkov in terraform/environments/ccms-ebs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 17:53:57,001 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 969, Failed checks: 83, Skipped checks: 3
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
File: /ccms-cloudwatch.tf:54-106
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.groups
File: /ccms-cloudwatch.tf:15-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
15 | resource "aws_cloudwatch_log_group" "groups" {
16 | for_each = local.application_data.cw_log_groups
17 | name = each.key
18 | retention_in_days = each.value.retention_days
19 |
20 | tags = merge(
21 | local.tags,
22 | {
23 | Name = each.key
24 | },
25 | )
26 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.dlm_lifecycle
File: /ccms-dlm.tf:24-53
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
25 | count = local.is-production ? 0 : 1
26 | name = "dlm-lifecycle-policy"
27 | role = aws_iam_role.dlm_lifecycle_role[0].id
28 |
29 | policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 | {
34 | "Effect": "Allow",
35 | "Action": [
36 | "ec2:CreateSnapshot",
37 | "ec2:DeleteSnapshot",
38 | "ec2:DescribeVolumes",
39 | "ec2:DescribeSnapshots"
40 | ],
41 | "Resource": "*"
42 | },
43 | {
44 | "Effect": "Allow",
45 | "Action": [
46 | "ec2:CreateTags"
47 | ],
48 | "Resource": "arn:aws:ec2:*::snapshot/*"
49 | }
50 | ]
51 | }
52 | EOF
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ftp
File: /ccms-ec2-ftp.tf:1-67
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_mailrelay
File: /ccms-ec2-mailrelay.tf:2-57
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_accessgate
File: /ccms-ec2-oracle_accessgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.ebsapps_lb
File: /ccms-ec2-oracle_ebs_apps-alb.tf:1-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "ebsapps_lb" {
2 | name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 | internal = false
4 | load_balancer_type = "application"
5 | security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 | subnets = data.aws_subnets.shared-public.ids
7 |
8 | enable_deletion_protection = true
9 |
10 | access_logs {
11 | bucket = module.s3-bucket-logging.bucket.id
12 | prefix = local.lb_log_prefix_ebsapp
13 | enabled = true
14 | }
15 |
16 | tags = merge(local.tags,
17 | { Name = lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment)) }
18 | )
19 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.ebsapp_tg
File: /ccms-ec2-oracle_ebs_apps-alb.tf:39-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
39 | resource "aws_lb_target_group" "ebsapp_tg" {
40 | name = lower(format("tg-%s-%s-ebsapp", local.application_name, local.environment))
41 | port = local.application_data.accounts[local.environment].tg_apps_port
42 | protocol = "HTTP"
43 | vpc_id = data.aws_vpc.shared.id
44 | health_check {
45 | port = local.application_data.accounts[local.environment].tg_apps_port
46 | protocol = "HTTP"
47 | }
48 |
49 | stickiness {
50 | enabled = true
51 | type = "lb_cookie"
52 | cookie_duration = 3600
53 | }
54 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.ebsapps_nlb
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "ebsapps_nlb" {
17 | name = lower(format("nlb-%s-%s-ebs", local.application_name, local.environment))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.ebs_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.ebs_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.ebs_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("nlb-%s-%s-ebsapp", local.application_name, local.environment)) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_ebsapps
File: /ccms-ec2-oracle_ebs_apps.tf:1-127
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_oracle_ebs
File: /ccms-ec2-oracle_ebs_db.tf:1-68
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_lb
File: /ccms-ec2-oracle_webgate-alb.tf:1-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
1 | resource "aws_lb" "webgate_lb" {
2 | count = local.is-production ? 1 : 1
3 | name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 | internal = true
5 | load_balancer_type = "application"
6 | security_groups = [aws_security_group.sg_webgate_lb.id]
7 | subnets = data.aws_subnets.shared-private.ids
8 |
9 | enable_deletion_protection = true
10 |
11 | access_logs {
12 | bucket = module.s3-bucket-logging.bucket.id
13 | prefix = local.lb_log_prefix_wgate
14 | enabled = true
15 | }
16 |
17 | tags = merge(local.tags,
18 | { Name = lower(format("lb-%s-%s-wgate", local.application_name, local.environment)) }
19 | )
20 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg
File: /ccms-ec2-oracle_webgate-alb.tf:40-52
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
40 | resource "aws_lb_target_group" "webgate_tg" {
41 | count = local.is-production ? 1 : 1
42 | name = lower(format("tg-%s-%s-wgate", local.application_name, local.environment))
43 | port = 5401
44 | protocol = "HTTP"
45 | vpc_id = data.aws_vpc.shared.id
46 | health_check {
47 | port = 5401
48 | protocol = "HTTP"
49 | matcher = 302
50 | timeout = 10
51 | }
52 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.webgate_public_lb
File: /ccms-ec2-oracle_webgate-alb.tf:62-80
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers
62 | resource "aws_lb" "webgate_public_lb" {
63 | name = lower(format("public-alb-webgate"))
64 | internal = false
65 | load_balancer_type = "application"
66 | security_groups = [aws_security_group.sg_webgate_lb.id]
67 | subnets = data.aws_subnets.shared-public.ids
68 |
69 | enable_deletion_protection = true
70 |
71 | access_logs {
72 | bucket = module.s3-bucket-logging.bucket.id
73 | prefix = local.lb_log_prefix_wgate_public
74 | enabled = true
75 | }
76 |
77 | tags = merge(local.tags,
78 | { Name = lower(format("public-alb-webgate")) }
79 | )
80 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.webgate_tg_public
File: /ccms-ec2-oracle_webgate-alb.tf:100-111
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks
100 | resource "aws_lb_target_group" "webgate_tg_public" {
101 | name = lower(format("public-alb-webgate-tg"))
102 | port = 5401
103 | protocol = "HTTP"
104 | vpc_id = data.aws_vpc.shared.id
105 | health_check {
106 | port = 5401
107 | protocol = "HTTP"
108 | matcher = 302
109 | timeout = 10
110 | }
111 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.webgate_nlb
File: /ccms-ec2-oracle_webgate-nlb.tf:16-42
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22
16 | resource "aws_lb" "webgate_nlb" {
17 | name = lower(format("public-nlb-webgate"))
18 | internal = false
19 | load_balancer_type = "network"
20 |
21 | enable_deletion_protection = true
22 | enable_cross_zone_load_balancing = true
23 |
24 | subnet_mapping {
25 | subnet_id = data.aws_subnets.shared-public.ids[0]
26 | allocation_id = aws_eip.webgate_eip[0].id
27 | }
28 |
29 | subnet_mapping {
30 | subnet_id = data.aws_subnets.shared-public.ids[1]
31 | allocation_id = aws_eip.webgate_eip[1].id
32 | }
33 |
34 | subnet_mapping {
35 | subnet_id = data.aws_subnets.shared-public.ids[2]
36 | allocation_id = aws_eip.webgate_eip[2].id
37 | }
38 |
39 | tags = merge(local.tags,
40 | { Name = lower(format("public-nlb-webgate")) }
41 | )
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ec2_webgate
File: /ccms-ec2-oracle_webgate.tf:1-104
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.ec2_operations_policy
File: /ccms-iam.tf:249-273
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
249 | resource "aws_iam_policy" "ec2_operations_policy" {
250 | name = "ec2_operations-${local.environment}"
251 | description = "Allows EC2 operations."
252 |
253 | policy = jsonencode(
254 | {
255 | "Version" : "2012-10-17",
256 | "Statement" : [
257 | {
258 | "Sid" : "EC2Operations",
259 | "Effect" : "Allow",
260 | "Action" : [
261 | "ec2:Describe*",
262 | "ec2:CreateSnapshot",
263 | "ec2:CreateSnapshots",
264 | "ec2:DeleteSnapshot",
265 | "ec2:CreateTags",
266 | "ec2:DeleteTags"
267 | ],
268 | "Resource" : "*"
269 | }
270 | ]
271 | }
272 | )
273 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.lambda_policy
File: /ccms-lambda-certificate-monitor.tf:19-70
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.certificate_expiration_alerts
File: /ccms-lambda-certificate-monitor.tf:72-77
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
72 | resource "aws_sns_topic" "certificate_expiration_alerts" {
73 | name = "${local.application_name}-${local.environment}-acm-certificate-alerts"
74 | tags = merge(local.tags, {
75 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
76 | })
77 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.certificate_monitor
File: /ccms-lambda-certificate-monitor.tf:85-105
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
85 | resource "aws_lambda_function" "certificate_monitor" {
86 | filename = "./lambda/certificate_monitor.zip"
87 | source_code_hash = filebase64sha256("./lambda/certificate_monitor.zip")
88 | function_name = "${local.application_name}-${local.environment}-certificate-monitor"
89 | role = aws_iam_role.lambda_certificate_monitor_role.arn
90 | handler = "lambda_function.lambda_handler"
91 | runtime = "python3.13"
92 | timeout = 30
93 | publish = true
94 |
95 | environment {
96 | variables = {
97 | EXPIRY_DAYS = local.application_data.accounts[local.environment].certificate_expiry_days
98 | SECURITY_HUB_REGION = "eu-west-2"
99 | SNS_TOPIC_ARN = aws_sns_topic.certificate_expiration_alerts.arn
100 | }
101 | }
102 | tags = merge(local.tags, {
103 | Name = "${local.application_name}-${local.environment}-certificate-monitor"
104 | })
105 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.payment_load_notifications
File: /ccms-lambda-monitor-payment-load.tf:42-47
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
42 | resource "aws_sns_topic" "payment_load_notifications" {
43 | name = "${local.application_name}-${local.environment}-payment-load-notifications"
44 | tags = merge(local.tags, {
45 | Name = "${local.application_name}-${local.environment}-payment-load-notifications"
46 | })
47 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_payment_load_monitor
File: /ccms-lambda-monitor-payment-load.tf:55-73
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
55 | resource "aws_lambda_function" "lambda_payment_load_monitor" {
56 | filename = "./lambda/payment_load_monitor.zip"
57 | source_code_hash = filebase64sha256("./lambda/payment_load_monitor.zip")
58 | function_name = "${local.application_name}-${local.environment}-payment-load-monitor"
59 | role = aws_iam_role.lambda_payment_load_monitor_role.arn
60 | handler = "lambda_function.lambda_handler"
61 | runtime = "python3.13"
62 | timeout = 30
63 | publish = true
64 |
65 | environment {
66 | variables = {
67 | SNS_TOPIC_ARN = aws_sns_topic.payment_load_notifications.arn
68 | }
69 | }
70 | tags = merge(local.tags, {
71 | Name = "${local.application_name}-${local.environment}-payment-load-monitor"
72 | })
73 | }
Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.lambda_security_group
File: /ccms-lambda.tf:22-44
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
22 | resource "aws_security_group" "lambda_security_group" {
23 | name = "${local.application_name}-${local.environment}-lambda-sg"
24 | description = "SG traffic control for Payment Load Lambda"
25 | vpc_id = data.aws_vpc.shared.id
26 |
27 | ingress {
28 | from_port = 1521
29 | to_port = 1522
30 | protocol = "tcp"
31 | cidr_blocks = [data.aws_vpc.shared.cidr_block]
32 | }
33 |
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | tags = merge(local.tags,
42 | { Name = "${local.application_name}-${local.environment}-lambda-sg" }
43 | )
44 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.lambda_function
File: /ccms-lambda.tf:48-82
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
48 | resource "aws_lambda_function" "lambda_function" {
49 | function_name = "${local.application_name}-${local.environment}-payment-load"
50 | filename = "lambda/functionV2.zip"
51 | handler = "lambda_function.lambda_handler"
52 | runtime = "python3.10"
53 | role = aws_iam_role.lambda_execution_role.arn
54 | layers = [aws_lambda_layer_version.lambda_layer.arn]
55 | architectures = ["x86_64"]
56 | memory_size = 128
57 | timeout = 120
58 |
59 | vpc_config {
60 | subnet_ids = [data.aws_subnet.data_subnets_a.id]
61 | security_group_ids = [aws_security_group.lambda_security_group.id]
62 | }
63 | environment {
64 | variables = {
65 | IS_PRODUCTION = local.is-production ? "true" : "false"
66 | LD_LIBRARY_PATH = "/opt/instantclient_12_2_linux"
67 | S3_BUCKET_NAME = aws_s3_bucket.lambda_payment_load.bucket
68 | SECRET_NAME = aws_secretsmanager_secret.secret_lambda_s3.name
69 | }
70 | }
71 | logging_config {
72 | log_format = "JSON"
73 | application_log_level = "INFO"
74 | system_log_level = "INFO"
75 | }
76 |
77 | tags = merge(local.tags, {
78 | Name = "${local.application_name}-${local.environment}-payment-load"
79 | })
80 |
81 | depends_on = [aws_lambda_layer_version.lambda_layer]
82 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket
File: /ccms-s3.tf:2-71
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-logging
File: /ccms-s3.tf:98-166
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3-bucket-dbbackup
File: /ccms-s3.tf:190-258
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
FAILED for resource: aws_ses_configuration_set.default_configuration_set
File: /ccms-ses.tf:35-43
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365
35 | resource "aws_ses_configuration_set" "default_configuration_set" {
36 | name = "default-configuration-set"
37 |
38 | delivery_options {
39 | tls_policy = "Optional"
40 | }
41 | reputation_metrics_enabled = true
42 | sending_enabled = true
43 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.cw_alerts
File: /ccms-sns.tf:17-20
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
17 | resource "aws_sns_topic" "cw_alerts" {
18 | name = "ccms-ebs-ec2-alerts"
19 | #kms_master_key_id = "alias/aws/sns"
20 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.s3_topic
File: /ccms-sns.tf:34-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
34 | resource "aws_sns_topic" "s3_topic" {
35 | name = "s3-event-notification-topic"
36 | policy = data.aws_iam_policy_document.s3_topic_policy.json
37 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.ddos_alarm
File: /ccms-sns.tf:51-54
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
51 | resource "aws_sns_topic" "ddos_alarm" {
52 | name = format("%s_ddos_alarm", local.application_name)
53 | #kms_master_key_id = "alias/aws/sns"
54 | }
Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: aws_wafv2_web_acl.ebs_web_acl
File: /ccms-waf.tf:172-211
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2
172 | resource "aws_wafv2_web_acl" "ebs_web_acl" {
173 | name = "ebs_waf"
174 | scope = "REGIONAL"
175 | description = "AWS WAF Web ACL for EBS"
176 |
177 | default_action {
178 | block {}
179 | }
180 |
181 | rule {
182 | name = "ebs-trusted-rule"
183 |
184 | priority = 1
185 | action {
186 | allow {}
187 | }
188 |
189 | statement {
190 | ip_set_reference_statement {
191 | arn = aws_wafv2_ip_set.ebs_waf_ip_set.arn
192 | }
193 | }
194 |
195 | visibility_config {
196 | cloudwatch_metrics_enabled = true
197 | metric_name = "ebs_waf_metrics"
198 | sampled_requests_enabled = true
199 | }
200 | }
201 |
202 | tags = merge(local.tags,
203 | { Name = lower(format("lb-%s-%s-ebsapp-web-acl", local.application_name, local.environment)) }
204 | )
205 |
206 | visibility_config {
207 | cloudwatch_metrics_enabled = true
208 | metric_name = "ebs_waf_metrics"
209 | sampled_requests_enabled = true
210 | }
211 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.ebs_waf_logs
File: /ccms-waf.tf:213-220
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
213 | resource "aws_cloudwatch_log_group" "ebs_waf_logs" {
214 | name = "aws-waf-logs-ebs/ebs-waf-logs"
215 | retention_in_days = 30
216 |
217 | tags = merge(local.tags,
218 | { Name = lower(format("lb-%s-%s-ebs-waf-logs", local.application_name, local.environment)) }
219 | )
220 | }
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
FAILED for resource: aws_ssm_parameter.cw_agent_config
File: /ccms-cloudwatch.tf:28-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted
28 | resource "aws_ssm_parameter" "cw_agent_config" {
29 | description = "cloud watch agent config"
30 | name = "cloud-watch-config"
31 | type = "String"
32 | value = file("./templates/cw_agent_config.json")
33 |
34 | tags = merge(local.tags,
35 | { Name = "cw-config" }
36 | )
37 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
File: /ccms-secrets.tf:3-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
4 | name = "ftp-s3-${local.environment}-aws-key"
5 | description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
6 |
7 | tags = merge(local.tags,
8 | { Name = "ftp-s3-${local.environment}-aws-key" }
9 | )
10 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_ses_smtp_credentials
File: /ccms-secrets.tf:12-19
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
12 | resource "aws_secretsmanager_secret" "secret_ses_smtp_credentials" {
13 | name = "ses-smtp-credentials"
14 | description = "SMTP credentials for Postfix to send messages through SES."
15 |
16 | tags = merge(local.tags,
17 | { Name = "ses-smtp-credentials-${local.environment}" }
18 | )
19 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.secret_lambda_s3
File: /ccms-secrets.tf:23-30
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
23 | resource "aws_secretsmanager_secret" "secret_lambda_s3" {
24 | name = "db-${local.environment}-credentials"
25 | description = "AWS credentials for lambda to connect to the db"
26 |
27 | tags = merge(local.tags,
28 | { Name = "db-${local.environment}-credentials" }
29 | )
30 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.support_email_account
File: /ccms-sns.tf:2-5
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
2 | resource "aws_secretsmanager_secret" "support_email_account" {
3 | name = "support_email_account"
4 | description = "email address of the support account for cw alerts"
5 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
FAILED for resource: aws_kms_key.oracle_ec2
File: /ccms-kms.tf:1-7
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64
1 | resource "aws_kms_key" "oracle_ec2" {
2 | enable_key_rotation = true
3 |
4 | tags = merge(local.tags,
5 | { Name = "oracle_ec2" }
6 | )
7 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.ccms_ebs_shared
File: /ccms-s3.tf:286-288
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
286 | resource "aws_s3_bucket" "ccms_ebs_shared" {
287 | bucket = "${local.application_name}-${local.environment}-shared"
288 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_payment_load
File: /ccms-s3.tf:293-295
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
293 | resource "aws_s3_bucket" "lambda_payment_load" {
294 | bucket = "${local.application_name}-${local.environment}-payment-load"
295 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.ebs_eip
File: /ccms-ec2-oracle_ebs_apps-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "ebs_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.webgate_eip
File: /ccms-ec2-oracle_webgate-nlb.tf:2-13
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances
2 | resource "aws_eip" "webgate_eip" {
3 | count = local.is-production ? 6 : 3
4 | vpc = true
5 |
6 | lifecycle {
7 | prevent_destroy = true
8 | }
9 |
10 | tags = merge(local.tags,
11 | { Name = lower(format("lb-%s-%s-webgate-eip-${count.index + 1}", local.application_name, local.environment)) }
12 | )
13 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running tflint in terraform/environments/ccms-ebs
Excluding the following checks: terraform_unused_declarations
5issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 23:23:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 24:24:lz_aws_account_id_env="${local.application_data.accounts[local.environment].lz_aws_account_id_env}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-ftp.tf line 25:25:lz_ftp_bucket_environment="${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-mailrelay.tf line 28:28:smtp_fqdn="${local.application_data.accounts[local.environment].ses_domain_identity}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf line 31:31:environment="${local.environment}"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/ccms-ebs
*****************************
Running Trivy in terraform/environments/ccms-ebs
2025-01-16T17:53:44Z INFO [vulndb] Need to update DB
2025-01-16T17:53:44Z INFO [vulndb] Downloading vulnerability DB...2025-01-16T17:53:44Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:53:47Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-16T17:53:47Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:53:47Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:53:47Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:53:47Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [---------------------------------------------------------] 100.00%? p/s 0s2025-01-16T17:53:47Z INFO [secret] Secret scanning is enabled
2025-01-16T17:53:47Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:53:47Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-16T17:53:49Z INFO [terraformscanner] Scanning root module file_path="."2025-01-16T17:53:49Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-16T17:53:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_cloudwatch_log_group.groups"value="cty.NilVal"2025-01-16T17:53:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_egress_traffic"value="cty.NilVal"2025-01-16T17:53:49Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="aws_security_group_rule.all_internal_ingress_traffic"value="cty.NilVal"2025-01-16T17:53:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:53:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:53:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:53:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-dbbackup.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:53:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:53:50Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.s3-bucket-logging.aws_s3_bucket_lifecycle_configuration.default"err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-16T17:53:50Z INFO [terraformscanner] Scanning root module file_path="modules"2025-01-16T17:53:50Z INFO [terraformscanner] Scanning root module file_path="modules/cw-logs"2025-01-16T17:53:53Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2025-01-16T17:53:53Z INFO [terraformexecutor] Ignore finding rule="aws-iam-no-user-attached-policies"range="ccms-iam.tf:283-289"2025-01-16T17:53:54Z INFO Number of language-specific files num=02025-01-16T17:53:54Z INFO Detected config files num=29
ccms-ec2-oracle_accessgate.tf (terraform)
=========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_accessgate" {
2 │ count=local.application_data.accounts[local.environment].accessgate_no_instances3 │ instance_type=local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate4 │ ami=local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index+1}"]
5 │ key_name=local.application_data.accounts[local.environment].key_name6 │ vpc_security_group_ids=[aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id=local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring=true..
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf (terraform)
===========================================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource"aws_lb""ebsapps_lb" {
2 │ name=lower(format("lb-%s-%s-ebsapp", local.application_name, local.environment))
3 │ internal=false4 │ load_balancer_type="application"5 │ security_groups=[aws_security_group.sg_ebsapps_lb.id]
6 │ subnets=data.aws_subnets.shared-public.ids7 │
8 │ enable_deletion_protection=true9 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-alb.tf:3
via ccms-ec2-oracle_ebs_apps-alb.tf:1-19 (aws_lb.ebsapps_lb)
────────────────────────────────────────
1resource"aws_lb""ebsapps_lb" {
.3 [ internal = false..19 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf (terraform)
===========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH):Loadbalancerisexposedpublicly.
════════════════════════════════════════
Therearemanyscenariosinwhichyouwouldwanttoexposealoadbalancertothewiderinternet, butthischeckexistsasawarningtopreventaccidentalexposureofinternalassets.Youshouldensurethatthisresourceshouldbeexposedpublicly.Seehttps://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps-nlb.tf:18viaccms-ec2-oracle_ebs_apps-nlb.tf:16-42 (aws_lb.ebsapps_nlb)
────────────────────────────────────────
16resource"aws_lb""ebsapps_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf (terraform)
=======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH):InstancedoesnotrequireIMDSaccesstorequireatoken.
════════════════════════════════════════
IMDSv2 (Instance Metadata Service) introducedsessionauthenticationtokenswhichimprovesecuritywhentalkingtoIMDS.Bydefault<code>aws_instance</code>resourcesetsIMDSsessionauthtokenstobeoptional.TofullyprotectIMDSyouneedtoenablesessiontokensbyusing<code>metadata_options</code>blockandits<code>http_tokens</code>variablesetto<code>required</code>.Seehttps://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_ebs_apps.tf:1-127
────────────────────────────────────────
1 ┌ resource"aws_instance""ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf (terraform)
=====================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ccms-ec2-oracle_ebs_db.tf:1-68
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring =true9 └ ebs_optimized =false
..
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf (terraform)
==========================================
Tests:3 (SUCCESSES:0, FAILURES:3)
Failures:3 (HIGH:3, CRITICAL:0)
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:1-20
────────────────────────────────────────
1 ┌ resource "aws_lb""webgate_lb" {
2 │ count = local.is-production ?1:13 │ name =lower(format("lb-%s-%s-wgate", local.application_name, local.environment))
4 │ internal =true5 │ load_balancer_type ="application"6 │ security_groups = [aws_security_group.sg_webgate_lb.id]
7 │ subnets = data.aws_subnets.shared-private.ids
8 │
9 └ enable_deletion_protection =true
..
────────────────────────────────────────
AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.
See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:62-80
────────────────────────────────────────
62 ┌ resource "aws_lb""webgate_public_lb" {
63 │ name =lower(format("public-alb-webgate"))
64 │ internal =false65 │ load_balancer_type ="application"66 │ security_groups = [aws_security_group.sg_webgate_lb.id]
67 │ subnets = data.aws_subnets.shared-public.ids
68 │
69 │ enable_deletion_protection =true70 └
..
────────────────────────────────────────
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-alb.tf:64
via ccms-ec2-oracle_webgate-alb.tf:62-80 (aws_lb.webgate_public_lb)
────────────────────────────────────────
62 resource "aws_lb""webgate_public_lb" {
..
64 [ internal =false
..
80 }
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf (terraform)
==========================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.
See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
ccms-ec2-oracle_webgate-nlb.tf:18
via ccms-ec2-oracle_webgate-nlb.tf:16-42 (aws_lb.webgate_nlb)
────────────────────────────────────────
16 resource "aws_lb""webgate_nlb" {
..
18 [ internal =false
..
42 }
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf (terraform)
======================================
Tests:1 (SUCCESSES:0, FAILURES:1)
Failures:1 (HIGH:1, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ccms-ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance""ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index+1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id9 └ monitoring =true
..
────────────────────────────────────────
ccms-s3.tf (terraform)
======================
Tests:8 (SUCCESSES:0, FAILURES:8)
Failures:8 (HIGH:8, CRITICAL:0)
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail iftheobjecthasanypublicACLa.
See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.
See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:286-288
────────────────────────────────────────
286 ┌ resource "aws_s3_bucket""ccms_ebs_shared" {
287 │ bucket ="${local.application_name}-${local.environment}-shared"288 └ }
────────────────────────────────────────
AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies forthebucket.Byenabling, therestrict_public_buckets, onlythebucketownerandAWSServicescanaccessifithasapublicpolicy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
ccms-s3.tf:293-295
────────────────────────────────────────
293 ┌ resource "aws_s3_bucket""lambda_payment_load" {
294 │ bucket ="${local.application_name}-${local.environment}-payment-load"295 └ }
────────────────────────────────────────
trivy_exitcode=1
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
github-actions
bot
added
the
environments-repository
mmgovuk
had a problem deploying
to
ccms-ebs-development
CC-2816: Added the payment-load-monitor Lambda function.