Experience Builder


Terraform

< Back

Repository
adv4000 / terraform-lessons
Description

Source Code for Course "Terraform From Beginner to Professional"

Stars

 195

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 14:51:46,583 [MainThread  ] [WARNI]  Failed to download module [email protected]:adv4000/terraform-modules.git//aws_network:None (for external modules, the --download-external-modules flag is required)
    terraform scan results:
    
    Passed checks: 295, Failed checks: 374, Skipped checks: 0, Parsing errors: 34
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.my_Ubuntu
    	File: /Lesson-01/Lesson-1.tf:4-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		4  | resource "aws_instance" "my_Ubuntu" {
    		5  |   ami           = "ami-090f10efc254eaf55"
    		6  |   instance_type = "t3.micro"
    		7  | 
    		8  |   tags = {
    		9  |     Name    = "My Ubuntu Server"
    		10 |     Owner   = "Denis Astahov"
    		11 |     Project = "Terraform Lessons"
    		12 |   }
    		13 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.my_Ubuntu
    	File: /Lesson-01/Lesson-1.tf:4-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		4  | resource "aws_instance" "my_Ubuntu" {
    		5  |   ami           = "ami-090f10efc254eaf55"
    		6  |   instance_type = "t3.micro"
    		7  | 
    		8  |   tags = {
    		9  |     Name    = "My Ubuntu Server"
    		10 |     Owner   = "Denis Astahov"
    		11 |     Project = "Terraform Lessons"
    		12 |   }
    		13 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.my_Ubuntu
    	File: /Lesson-01/Lesson-1.tf:4-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		4  | resource "aws_instance" "my_Ubuntu" {
    		5  |   ami           = "ami-090f10efc254eaf55"
    		6  |   instance_type = "t3.micro"
    		7  | 
    		8  |   tags = {
    		9  |     Name    = "My Ubuntu Server"
    		10 |     Owner   = "Denis Astahov"
    		11 |     Project = "Terraform Lessons"
    		12 |   }
    		13 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.my_Ubuntu
    	File: /Lesson-01/Lesson-1.tf:4-13
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		4  | resource "aws_instance" "my_Ubuntu" {
    		5  |   ami           = "ami-090f10efc254eaf55"
    		6  |   instance_type = "t3.micro"
    		7  | 
    		8  |   tags = {
    		9  |     Name    = "My Ubuntu Server"
    		10 |     Owner   = "Denis Astahov"
    		11 |     Project = "Terraform Lessons"
    		12 |   }
    		13 | }
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.my_Amazon
    	File: /Lesson-01/Lesson-1.tf:15-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		15 | resource "aws_instance" "my_Amazon" {
    		16 |   ami           = "ami-03a71cec707bfc3d7"
    		17 |   instance_type = "t3.small"
    		18 | 
    		19 |   tags = {
    		20 |     Name    = "My Amazon Server"
    		21 |     Owner   = "Denis Astahov"
    		22 |     Project = "Terraform Lessons"
    		23 |   }
    		24 | }
    
    Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
    	FAILED for resource: aws_instance.my_Amazon
    	File: /Lesson-01/Lesson-1.tf:15-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
    
    		15 | resource "aws_instance" "my_Amazon" {
    		16 |   ami           = "ami-03a71cec707bfc3d7"
    		17 |   instance_type = "t3.small"
    		18 | 
    		19 |   tags = {
    		20 |     Name    = "My Amazon Server"
    		21 |     Owner   = "Denis Astahov"
    		22 |     Project = "Terraform Lessons"
    		23 |   }
    		24 | }
    
    Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
    	FAILED for resource: aws_instance.my_Amazon
    	File: /Lesson-01/Lesson-1.tf:15-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
    
    		15 | resource "aws_instance" "my_Amazon" {
    		16 |   ami           = "ami-03a71cec707bfc3d7"
    		17 |   instance_type = "t3.small"
    		18 | 
    		19 |   tags = {
    		20 |     Name    = "My Amazon Server"
    		21 |     Owner   = "Denis Astahov"
    		22 |     Project = "Terraform Lessons"
    		23 |   }
    		24 | }
    
    Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
    	FAILED for resource: aws_instance.my_Amazon
    	File: /Lesson-01/Lesson-1.tf:15-24
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
    
    		15 | resource "aws_instance" "my_Amazon" {
    		16 |   ami           = "ami-03a71cec707bfc3d7"
    		17 |   instance_type = "t3.small"
    		18 | 
    		19 |   tags = {
    		20 |     Name    = "My Amazon Server"
    		21 |     Owner   = "Denis Astahov"
    		22 |     Project = "Terraform Lessons"
    		23 |   }
    		24 | }
    
    Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
    	FAILED for resource: aws_default_vpc.default
    	File: /Lesson-02/WebServer.tf:14-14
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
    
    		14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
    
    Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
    	FAILED for resource: aws_instance.my_webserver
    	File: /Lesson-02/WebServer.tf:16-34
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
    
    		16 | resource "aws_instance" "my_webserver" {
    		17 |   ami                    = "ami-03a71cec707bfc3d7"
    		18 |   instance_type          = "t3.micro"
    		19 |   vpc_security_group_ids = [aws_security_group.my_webserver.id]
    		20 |   user_data              = <WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 26 | sudo service httpd start 27 | chkconfig httpd on 28 | EOF 29 | 30 | tags = { 31 | Name = "Web Server Build by Terraform" 32 | Owner = "Denis Astahov" 33 | } 34 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_webserver File: /Lesson-02/WebServer.tf:16-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = <WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 26 | sudo service httpd start 27 | chkconfig httpd on 28 | EOF 29 | 30 | tags = { 31 | Name = "Web Server Build by Terraform" 32 | Owner = "Denis Astahov" 33 | } 34 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_webserver File: /Lesson-02/WebServer.tf:16-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = <WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 26 | sudo service httpd start 27 | chkconfig httpd on 28 | EOF 29 | 30 | tags = { 31 | Name = "Web Server Build by Terraform" 32 | Owner = "Denis Astahov" 33 | } 34 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_webserver File: /Lesson-02/WebServer.tf:16-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = <WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 26 | sudo service httpd start 27 | chkconfig httpd on 28 | EOF 29 | 30 | tags = { 31 | Name = "Web Server Build by Terraform" 32 | Owner = "Denis Astahov" 33 | } 34 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.my_webserver File: /Lesson-02/WebServer.tf:37-67 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 37 | resource "aws_security_group" "my_webserver" { 38 | name = "WebServer Security Group" 39 | description = "My First SecurityGroup" 40 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 41 | 42 | ingress { 43 | from_port = 80 44 | to_port = 80 45 | protocol = "tcp" 46 | cidr_blocks = ["0.0.0.0/0"] 47 | } 48 | 49 | ingress { 50 | from_port = 443 51 | to_port = 443 52 | protocol = "tcp" 53 | cidr_blocks = ["0.0.0.0/0"] 54 | } 55 | 56 | egress { 57 | from_port = 0 58 | to_port = 0 59 | protocol = "-1" 60 | cidr_blocks = ["0.0.0.0/0"] 61 | } 62 | 63 | tags = { 64 | Name = "Web Server SecurityGroup" 65 | Owner = "Denis Astahov" 66 | } 67 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_security_group.my_webserver File: /Lesson-02/WebServer.tf:37-67 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html 37 | resource "aws_security_group" "my_webserver" { 38 | name = "WebServer Security Group" 39 | description = "My First SecurityGroup" 40 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 41 | 42 | ingress { 43 | from_port = 80 44 | to_port = 80 45 | protocol = "tcp" 46 | cidr_blocks = ["0.0.0.0/0"] 47 | } 48 | 49 | ingress { 50 | from_port = 443 51 | to_port = 443 52 | protocol = "tcp" 53 | cidr_blocks = ["0.0.0.0/0"] 54 | } 55 | 56 | egress { 57 | from_port = 0 58 | to_port = 0 59 | protocol = "-1" 60 | cidr_blocks = ["0.0.0.0/0"] 61 | } 62 | 63 | tags = { 64 | Name = "Web Server SecurityGroup" 65 | Owner = "Denis Astahov" 66 | } 67 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-03/WebServer.tf:14-14 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_webserver File: /Lesson-03/WebServer.tf:16-26 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = file("user_data.sh") 21 | 22 | tags = { 23 | Name = "Web Server Build by Terraform" 24 | Owner = "Denis Astahov" 25 | } 26 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_webserver File: /Lesson-03/WebServer.tf:16-26 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = file("user_data.sh") 21 | 22 | tags = { 23 | Name = "Web Server Build by Terraform" 24 | Owner = "Denis Astahov" 25 | } 26 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_webserver File: /Lesson-03/WebServer.tf:16-26 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = file("user_data.sh") 21 | 22 | tags = { 23 | Name = "Web Server Build by Terraform" 24 | Owner = "Denis Astahov" 25 | } 26 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_webserver File: /Lesson-03/WebServer.tf:16-26 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = file("user_data.sh") 21 | 22 | tags = { 23 | Name = "Web Server Build by Terraform" 24 | Owner = "Denis Astahov" 25 | } 26 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.my_webserver File: /Lesson-03/WebServer.tf:29-59 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 29 | resource "aws_security_group" "my_webserver" { 30 | name = "WebServer Security Group" 31 | description = "My First SecurityGroup" 32 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 33 | 34 | ingress { 35 | from_port = 80 36 | to_port = 80 37 | protocol = "tcp" 38 | cidr_blocks = ["0.0.0.0/0"] 39 | } 40 | 41 | ingress { 42 | from_port = 443 43 | to_port = 443 44 | protocol = "tcp" 45 | cidr_blocks = ["0.0.0.0/0"] 46 | } 47 | 48 | egress { 49 | from_port = 0 50 | to_port = 0 51 | protocol = "-1" 52 | cidr_blocks = ["0.0.0.0/0"] 53 | } 54 | 55 | tags = { 56 | Name = "Web Server SecurityGroup" 57 | Owner = "Denis Astahov" 58 | } 59 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_security_group.my_webserver File: /Lesson-03/WebServer.tf:29-59 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html 29 | resource "aws_security_group" "my_webserver" { 30 | name = "WebServer Security Group" 31 | description = "My First SecurityGroup" 32 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 33 | 34 | ingress { 35 | from_port = 80 36 | to_port = 80 37 | protocol = "tcp" 38 | cidr_blocks = ["0.0.0.0/0"] 39 | } 40 | 41 | ingress { 42 | from_port = 443 43 | to_port = 443 44 | protocol = "tcp" 45 | cidr_blocks = ["0.0.0.0/0"] 46 | } 47 | 48 | egress { 49 | from_port = 0 50 | to_port = 0 51 | protocol = "-1" 52 | cidr_blocks = ["0.0.0.0/0"] 53 | } 54 | 55 | tags = { 56 | Name = "Web Server SecurityGroup" 57 | Owner = "Denis Astahov" 58 | } 59 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-04/WebServer.tf:14-14 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_webserver File: /Lesson-04/WebServer.tf:16-30 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = templatefile("user_data.sh.tpl", { 21 | f_name = "Denis", 22 | l_name = "Astahov", 23 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha"] 24 | }) 25 | 26 | tags = { 27 | Name = "Web Server Build by Terraform" 28 | Owner = "Denis Astahov" 29 | } 30 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_webserver File: /Lesson-04/WebServer.tf:16-30 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = templatefile("user_data.sh.tpl", { 21 | f_name = "Denis", 22 | l_name = "Astahov", 23 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha"] 24 | }) 25 | 26 | tags = { 27 | Name = "Web Server Build by Terraform" 28 | Owner = "Denis Astahov" 29 | } 30 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_webserver File: /Lesson-04/WebServer.tf:16-30 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = templatefile("user_data.sh.tpl", { 21 | f_name = "Denis", 22 | l_name = "Astahov", 23 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha"] 24 | }) 25 | 26 | tags = { 27 | Name = "Web Server Build by Terraform" 28 | Owner = "Denis Astahov" 29 | } 30 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_webserver File: /Lesson-04/WebServer.tf:16-30 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = templatefile("user_data.sh.tpl", { 21 | f_name = "Denis", 22 | l_name = "Astahov", 23 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha"] 24 | }) 25 | 26 | tags = { 27 | Name = "Web Server Build by Terraform" 28 | Owner = "Denis Astahov" 29 | } 30 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.my_webserver File: /Lesson-04/WebServer.tf:33-63 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 33 | resource "aws_security_group" "my_webserver" { 34 | name = "WebServer Security Group" 35 | description = "My First SecurityGroup" 36 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 37 | 38 | ingress { 39 | from_port = 80 40 | to_port = 80 41 | protocol = "tcp" 42 | cidr_blocks = ["0.0.0.0/0"] 43 | } 44 | 45 | ingress { 46 | from_port = 443 47 | to_port = 443 48 | protocol = "tcp" 49 | cidr_blocks = ["0.0.0.0/0"] 50 | } 51 | 52 | egress { 53 | from_port = 0 54 | to_port = 0 55 | protocol = "-1" 56 | cidr_blocks = ["0.0.0.0/0"] 57 | } 58 | 59 | tags = { 60 | Name = "Web Server SecurityGroup" 61 | Owner = "Denis Astahov" 62 | } 63 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_security_group.my_webserver File: /Lesson-04/WebServer.tf:33-63 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html 33 | resource "aws_security_group" "my_webserver" { 34 | name = "WebServer Security Group" 35 | description = "My First SecurityGroup" 36 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 37 | 38 | ingress { 39 | from_port = 80 40 | to_port = 80 41 | protocol = "tcp" 42 | cidr_blocks = ["0.0.0.0/0"] 43 | } 44 | 45 | ingress { 46 | from_port = 443 47 | to_port = 443 48 | protocol = "tcp" 49 | cidr_blocks = ["0.0.0.0/0"] 50 | } 51 | 52 | egress { 53 | from_port = 0 54 | to_port = 0 55 | protocol = "-1" 56 | cidr_blocks = ["0.0.0.0/0"] 57 | } 58 | 59 | tags = { 60 | Name = "Web Server SecurityGroup" 61 | Owner = "Denis Astahov" 62 | } 63 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-05/DynamicSecurityGroup.tf:14-14 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.my_webserver File: /Lesson-05/DynamicSecurityGroup.tf:16-52 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 16 | resource "aws_security_group" "my_webserver" { 17 | name = "Dynamic Security Group" 18 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 19 | 20 | 21 | dynamic "ingress" { 22 | for_each = ["80", "443", "8080", "1541", "9092", "9093"] 23 | content { 24 | from_port = ingress.value 25 | to_port = ingress.value 26 | protocol = "tcp" 27 | cidr_blocks = ["0.0.0.0/0"] 28 | } 29 | } 30 | 31 | 32 | ingress { 33 | from_port = 22 34 | to_port = 22 35 | protocol = "tcp" 36 | cidr_blocks = ["10.10.0.0/16"] 37 | } 38 | 39 | 40 | 41 | egress { 42 | from_port = 0 43 | to_port = 0 44 | protocol = "-1" 45 | cidr_blocks = ["0.0.0.0/0"] 46 | } 47 | 48 | tags = { 49 | Name = "Dynamic SecurityGroup" 50 | Owner = "Denis Astahov" 51 | } 52 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-06/WebServer.tf:14-14 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_webserver File: /Lesson-06/WebServer.tf:26-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 26 | resource "aws_instance" "my_webserver" { 27 | ami = "ami-07ab3281411d31d04" 28 | instance_type = "t3.micro" 29 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 30 | user_data = templatefile("user_data.sh.tpl", { 31 | f_name = "Denis", 32 | l_name = "Astahov", 33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"] 34 | }) 35 | user_data_replace_on_change = true # Added in the new AWS provider!!! 36 | 37 | tags = { 38 | Name = "Web Server Build by Terraform" 39 | Owner = "Denis Astahov" 40 | } 41 | 42 | lifecycle { 43 | create_before_destroy = true 44 | } 45 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_webserver File: /Lesson-06/WebServer.tf:26-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 26 | resource "aws_instance" "my_webserver" { 27 | ami = "ami-07ab3281411d31d04" 28 | instance_type = "t3.micro" 29 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 30 | user_data = templatefile("user_data.sh.tpl", { 31 | f_name = "Denis", 32 | l_name = "Astahov", 33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"] 34 | }) 35 | user_data_replace_on_change = true # Added in the new AWS provider!!! 36 | 37 | tags = { 38 | Name = "Web Server Build by Terraform" 39 | Owner = "Denis Astahov" 40 | } 41 | 42 | lifecycle { 43 | create_before_destroy = true 44 | } 45 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_webserver File: /Lesson-06/WebServer.tf:26-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 26 | resource "aws_instance" "my_webserver" { 27 | ami = "ami-07ab3281411d31d04" 28 | instance_type = "t3.micro" 29 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 30 | user_data = templatefile("user_data.sh.tpl", { 31 | f_name = "Denis", 32 | l_name = "Astahov", 33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"] 34 | }) 35 | user_data_replace_on_change = true # Added in the new AWS provider!!! 36 | 37 | tags = { 38 | Name = "Web Server Build by Terraform" 39 | Owner = "Denis Astahov" 40 | } 41 | 42 | lifecycle { 43 | create_before_destroy = true 44 | } 45 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_webserver File: /Lesson-06/WebServer.tf:26-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 26 | resource "aws_instance" "my_webserver" { 27 | ami = "ami-07ab3281411d31d04" 28 | instance_type = "t3.micro" 29 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 30 | user_data = templatefile("user_data.sh.tpl", { 31 | f_name = "Denis", 32 | l_name = "Astahov", 33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"] 34 | }) 35 | user_data_replace_on_change = true # Added in the new AWS provider!!! 36 | 37 | tags = { 38 | Name = "Web Server Build by Terraform" 39 | Owner = "Denis Astahov" 40 | } 41 | 42 | lifecycle { 43 | create_before_destroy = true 44 | } 45 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.my_webserver File: /Lesson-06/WebServer.tf:48-75 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 48 | resource "aws_security_group" "my_webserver" { 49 | name = "WebServer Security Group" 50 | description = "My First SecurityGroup" 51 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 52 | 53 | dynamic "ingress" { 54 | for_each = ["80", "443"] 55 | content { 56 | from_port = ingress.value 57 | to_port = ingress.value 58 | protocol = "tcp" 59 | cidr_blocks = ["0.0.0.0/0"] 60 | } 61 | } 62 | 63 | 64 | egress { 65 | from_port = 0 66 | to_port = 0 67 | protocol = "-1" 68 | cidr_blocks = ["0.0.0.0/0"] 69 | } 70 | 71 | tags = { 72 | Name = "Web Server SecurityGroup" 73 | Owner = "Denis Astahov" 74 | } 75 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-07/main.tf:14-14 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_webserver File: /Lesson-07/main.tf:26-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 26 | resource "aws_instance" "my_webserver" { 27 | ami = "ami-07ab3281411d31d04" 28 | instance_type = "t3.micro" 29 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 30 | user_data = templatefile("user_data.sh.tpl", { 31 | f_name = "Denis", 32 | l_name = "Astahov", 33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"] 34 | }) 35 | 36 | tags = { 37 | Name = "Web Server Build by Terraform" 38 | Owner = "Denis Astahov" 39 | } 40 | 41 | lifecycle { 42 | create_before_destroy = true 43 | } 44 | 45 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_webserver File: /Lesson-07/main.tf:26-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 26 | resource "aws_instance" "my_webserver" { 27 | ami = "ami-07ab3281411d31d04" 28 | instance_type = "t3.micro" 29 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 30 | user_data = templatefile("user_data.sh.tpl", { 31 | f_name = "Denis", 32 | l_name = "Astahov", 33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"] 34 | }) 35 | 36 | tags = { 37 | Name = "Web Server Build by Terraform" 38 | Owner = "Denis Astahov" 39 | } 40 | 41 | lifecycle { 42 | create_before_destroy = true 43 | } 44 | 45 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_webserver File: /Lesson-07/main.tf:26-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 26 | resource "aws_instance" "my_webserver" { 27 | ami = "ami-07ab3281411d31d04" 28 | instance_type = "t3.micro" 29 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 30 | user_data = templatefile("user_data.sh.tpl", { 31 | f_name = "Denis", 32 | l_name = "Astahov", 33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"] 34 | }) 35 | 36 | tags = { 37 | Name = "Web Server Build by Terraform" 38 | Owner = "Denis Astahov" 39 | } 40 | 41 | lifecycle { 42 | create_before_destroy = true 43 | } 44 | 45 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_webserver File: /Lesson-07/main.tf:26-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 26 | resource "aws_instance" "my_webserver" { 27 | ami = "ami-07ab3281411d31d04" 28 | instance_type = "t3.micro" 29 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 30 | user_data = templatefile("user_data.sh.tpl", { 31 | f_name = "Denis", 32 | l_name = "Astahov", 33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"] 34 | }) 35 | 36 | tags = { 37 | Name = "Web Server Build by Terraform" 38 | Owner = "Denis Astahov" 39 | } 40 | 41 | lifecycle { 42 | create_before_destroy = true 43 | } 44 | 45 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.my_webserver File: /Lesson-07/main.tf:48-76 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 48 | resource "aws_security_group" "my_webserver" { 49 | name = "WebServer Security Group" 50 | description = "My First SecurityGroup" 51 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 52 | 53 | 54 | dynamic "ingress" { 55 | for_each = ["80", "443"] 56 | content { 57 | from_port = ingress.value 58 | to_port = ingress.value 59 | protocol = "tcp" 60 | cidr_blocks = ["0.0.0.0/0"] 61 | } 62 | } 63 | 64 | 65 | egress { 66 | from_port = 0 67 | to_port = 0 68 | protocol = "-1" 69 | cidr_blocks = ["0.0.0.0/0"] 70 | } 71 | 72 | tags = { 73 | Name = "Web Server SecurityGroup" 74 | Owner = "Denis Astahov" 75 | } 76 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-08/main.tf:11-11 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 11 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_server_web File: /Lesson-08/main.tf:13-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 13 | resource "aws_instance" "my_server_web" { 14 | ami = "ami-03a71cec707bfc3d7" 15 | instance_type = "t3.micro" 16 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 17 | 18 | tags = { 19 | Name = "Server-Web" 20 | } 21 | depends_on = [aws_instance.my_server_db, aws_instance.my_server_app] 22 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_server_web File: /Lesson-08/main.tf:13-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 13 | resource "aws_instance" "my_server_web" { 14 | ami = "ami-03a71cec707bfc3d7" 15 | instance_type = "t3.micro" 16 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 17 | 18 | tags = { 19 | Name = "Server-Web" 20 | } 21 | depends_on = [aws_instance.my_server_db, aws_instance.my_server_app] 22 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_server_web File: /Lesson-08/main.tf:13-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 13 | resource "aws_instance" "my_server_web" { 14 | ami = "ami-03a71cec707bfc3d7" 15 | instance_type = "t3.micro" 16 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 17 | 18 | tags = { 19 | Name = "Server-Web" 20 | } 21 | depends_on = [aws_instance.my_server_db, aws_instance.my_server_app] 22 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_server_web File: /Lesson-08/main.tf:13-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 13 | resource "aws_instance" "my_server_web" { 14 | ami = "ami-03a71cec707bfc3d7" 15 | instance_type = "t3.micro" 16 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 17 | 18 | tags = { 19 | Name = "Server-Web" 20 | } 21 | depends_on = [aws_instance.my_server_db, aws_instance.my_server_app] 22 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_server_app File: /Lesson-08/main.tf:24-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 24 | resource "aws_instance" "my_server_app" { 25 | ami = "ami-03a71cec707bfc3d7" 26 | instance_type = "t3.micro" 27 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 28 | 29 | tags = { 30 | Name = "Server-Application" 31 | } 32 | 33 | depends_on = [aws_instance.my_server_db] 34 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_server_app File: /Lesson-08/main.tf:24-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 24 | resource "aws_instance" "my_server_app" { 25 | ami = "ami-03a71cec707bfc3d7" 26 | instance_type = "t3.micro" 27 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 28 | 29 | tags = { 30 | Name = "Server-Application" 31 | } 32 | 33 | depends_on = [aws_instance.my_server_db] 34 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_server_app File: /Lesson-08/main.tf:24-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 24 | resource "aws_instance" "my_server_app" { 25 | ami = "ami-03a71cec707bfc3d7" 26 | instance_type = "t3.micro" 27 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 28 | 29 | tags = { 30 | Name = "Server-Application" 31 | } 32 | 33 | depends_on = [aws_instance.my_server_db] 34 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_server_app File: /Lesson-08/main.tf:24-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 24 | resource "aws_instance" "my_server_app" { 25 | ami = "ami-03a71cec707bfc3d7" 26 | instance_type = "t3.micro" 27 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 28 | 29 | tags = { 30 | Name = "Server-Application" 31 | } 32 | 33 | depends_on = [aws_instance.my_server_db] 34 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_server_db File: /Lesson-08/main.tf:37-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 37 | resource "aws_instance" "my_server_db" { 38 | ami = "ami-03a71cec707bfc3d7" 39 | instance_type = "t3.micro" 40 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 41 | 42 | tags = { 43 | Name = "Server-Database" 44 | } 45 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_server_db File: /Lesson-08/main.tf:37-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 37 | resource "aws_instance" "my_server_db" { 38 | ami = "ami-03a71cec707bfc3d7" 39 | instance_type = "t3.micro" 40 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 41 | 42 | tags = { 43 | Name = "Server-Database" 44 | } 45 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_server_db File: /Lesson-08/main.tf:37-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 37 | resource "aws_instance" "my_server_db" { 38 | ami = "ami-03a71cec707bfc3d7" 39 | instance_type = "t3.micro" 40 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 41 | 42 | tags = { 43 | Name = "Server-Database" 44 | } 45 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_server_db File: /Lesson-08/main.tf:37-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 37 | resource "aws_instance" "my_server_db" { 38 | ami = "ami-03a71cec707bfc3d7" 39 | instance_type = "t3.micro" 40 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 41 | 42 | tags = { 43 | Name = "Server-Database" 44 | } 45 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.my_webserver File: /Lesson-08/main.tf:49-74 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 49 | resource "aws_security_group" "my_webserver" { 50 | name = "My Security Group" 51 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 52 | 53 | 54 | dynamic "ingress" { 55 | for_each = ["80", "443", "22"] 56 | content { 57 | from_port = ingress.value 58 | to_port = ingress.value 59 | protocol = "tcp" 60 | cidr_blocks = ["0.0.0.0/0"] 61 | } 62 | } 63 | 64 | egress { 65 | from_port = 0 66 | to_port = 0 67 | protocol = "-1" 68 | cidr_blocks = ["0.0.0.0/0"] 69 | } 70 | 71 | tags = { 72 | Name = "My SecurityGroup" 73 | } 74 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-11-ALB-LaunchTemplate/main.tf:37-37 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 37 | resource "aws_default_vpc" "default" {} Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.web File: /Lesson-11-ALB-LaunchTemplate/main.tf:48-69 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 48 | resource "aws_security_group" "web" { 49 | name = "Web Security Group" 50 | vpc_id = aws_default_vpc.default.id 51 | dynamic "ingress" { 52 | for_each = ["80", "443"] 53 | content { 54 | from_port = ingress.value 55 | to_port = ingress.value 56 | protocol = "tcp" 57 | cidr_blocks = ["0.0.0.0/0"] 58 | } 59 | } 60 | egress { 61 | from_port = 0 62 | to_port = 0 63 | protocol = "-1" 64 | cidr_blocks = ["0.0.0.0/0"] 65 | } 66 | tags = { 67 | Name = "Web Security Group" 68 | } 69 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_launch_template.web File: /Lesson-11-ALB-LaunchTemplate/main.tf:72-78 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 72 | resource "aws_launch_template" "web" { 73 | name = "WebServer-Highly-Available-LT" 74 | image_id = data.aws_ami.latest_amazon_linux.id 75 | instance_type = "t3.micro" 76 | vpc_security_group_ids = [aws_security_group.web.id] 77 | user_data = filebase64("${path.module}/user_data.sh") 78 | } Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers" FAILED for resource: aws_lb.web File: /Lesson-11-ALB-LaunchTemplate/main.tf:111-116 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html 111 | resource "aws_lb" "web" { 112 | name = "WebServer-HighlyAvailable-ALB" 113 | load_balancer_type = "application" 114 | security_groups = [aws_security_group.web.id] 115 | subnets = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id] 116 | } Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled" FAILED for resource: aws_lb.web File: /Lesson-11-ALB-LaunchTemplate/main.tf:111-116 Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62 111 | resource "aws_lb" "web" { 112 | name = "WebServer-HighlyAvailable-ALB" 113 | load_balancer_type = "application" 114 | security_groups = [aws_security_group.web.id] 115 | subnets = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id] 116 | } Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled" FAILED for resource: aws_lb.web File: /Lesson-11-ALB-LaunchTemplate/main.tf:111-116 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html 111 | resource "aws_lb" "web" { 112 | name = "WebServer-HighlyAvailable-ALB" 113 | load_balancer_type = "application" 114 | security_groups = [aws_security_group.web.id] 115 | subnets = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id] 116 | } Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck" FAILED for resource: aws_lb_target_group.web File: /Lesson-11-ALB-LaunchTemplate/main.tf:118-124 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html 118 | resource "aws_lb_target_group" "web" { 119 | name = "WebServer-HighlyAvailable-TG" 120 | vpc_id = aws_default_vpc.default.id 121 | port = 80 122 | protocol = "HTTP" 123 | deregistration_delay = 10 # seconds 124 | } Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS" FAILED for resource: aws_lb_listener.http File: /Lesson-11-ALB-LaunchTemplate/main.tf:126-135 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html 126 | resource "aws_lb_listener" "http" { 127 | load_balancer_arn = aws_lb.web.arn 128 | port = "80" 129 | protocol = "HTTP" 130 | 131 | default_action { 132 | type = "forward" 133 | target_group_arn = aws_lb_target_group.web.arn 134 | } 135 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-11-ELB-LaunchConfiguration/main.tf:16-16 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 16 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.web File: /Lesson-11-ELB-LaunchConfiguration/main.tf:29-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 29 | resource "aws_security_group" "web" { 30 | name = "Dynamic Security Group" 31 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 32 | 33 | dynamic "ingress" { 34 | for_each = ["80", "443"] 35 | content { 36 | from_port = ingress.value 37 | to_port = ingress.value 38 | protocol = "tcp" 39 | cidr_blocks = ["0.0.0.0/0"] 40 | } 41 | } 42 | egress { 43 | from_port = 0 44 | to_port = 0 45 | protocol = "-1" 46 | cidr_blocks = ["0.0.0.0/0"] 47 | } 48 | 49 | tags = { 50 | Name = "Dynamic SecurityGroup" 51 | Owner = "Denis Astahov" 52 | } 53 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_launch_configuration.web File: /Lesson-11-ELB-LaunchConfiguration/main.tf:56-67 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 56 | resource "aws_launch_configuration" "web" { 57 | // name = "WebServer-Highly-Available-LC" 58 | name_prefix = "WebServer-Highly-Available-LC-" 59 | image_id = data.aws_ami.latest_amazon_linux.id 60 | instance_type = "t3.micro" 61 | security_groups = [aws_security_group.web.id] 62 | user_data = file("user_data.sh") 63 | 64 | lifecycle { 65 | create_before_destroy = true 66 | } 67 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_launch_configuration.web File: /Lesson-11-ELB-LaunchConfiguration/main.tf:56-67 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 56 | resource "aws_launch_configuration" "web" { 57 | // name = "WebServer-Highly-Available-LC" 58 | name_prefix = "WebServer-Highly-Available-LC-" 59 | image_id = data.aws_ami.latest_amazon_linux.id 60 | instance_type = "t3.micro" 61 | security_groups = [aws_security_group.web.id] 62 | user_data = file("user_data.sh") 63 | 64 | lifecycle { 65 | create_before_destroy = true 66 | } 67 | } Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates" FAILED for resource: aws_autoscaling_group.web File: /Lesson-11-ELB-LaunchConfiguration/main.tf:71-97 71 | resource "aws_autoscaling_group" "web" { 72 | name = "ASG-${aws_launch_configuration.web.name}" 73 | launch_configuration = aws_launch_configuration.web.name 74 | min_size = 2 75 | max_size = 2 76 | min_elb_capacity = 2 77 | health_check_type = "ELB" 78 | vpc_zone_identifier = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id] 79 | load_balancers = [aws_elb.web.name] 80 | 81 | dynamic "tag" { 82 | for_each = { 83 | Name = "WebServer in ASG" 84 | Owner = "Denis Astahov" 85 | TAGKEY = "TAGVALUE" 86 | } 87 | content { 88 | key = tag.key 89 | value = tag.value 90 | propagate_at_launch = true 91 | } 92 | } 93 | 94 | lifecycle { 95 | create_before_destroy = true 96 | } 97 | } Check: CKV_AWS_92: "Ensure the ELB has access logging enabled" FAILED for resource: aws_elb.web File: /Lesson-11-ELB-LaunchConfiguration/main.tf:100-120 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.html 100 | resource "aws_elb" "web" { 101 | name = "WebServer-HA-ELB" 102 | availability_zones = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]] 103 | security_groups = [aws_security_group.web.id] 104 | listener { 105 | lb_port = 80 106 | lb_protocol = "http" 107 | instance_port = 80 108 | instance_protocol = "http" 109 | } 110 | health_check { 111 | healthy_threshold = 2 112 | unhealthy_threshold = 2 113 | timeout = 3 114 | target = "HTTP:80/" 115 | interval = 10 116 | } 117 | tags = { 118 | Name = "WebServer-Highly-Available-ELB" 119 | } 120 | } Check: CKV_AWS_127: "Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager" FAILED for resource: aws_elb.web File: /Lesson-11-ELB-LaunchConfiguration/main.tf:100-120 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager.html 100 | resource "aws_elb" "web" { 101 | name = "WebServer-HA-ELB" 102 | availability_zones = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]] 103 | security_groups = [aws_security_group.web.id] 104 | listener { 105 | lb_port = 80 106 | lb_protocol = "http" 107 | instance_port = 80 108 | instance_protocol = "http" 109 | } 110 | health_check { 111 | healthy_threshold = 2 112 | unhealthy_threshold = 2 113 | timeout = 3 114 | target = "HTTP:80/" 115 | interval = 10 116 | } 117 | tags = { 118 | Name = "WebServer-Highly-Available-ELB" 119 | } 120 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-12/main.tf:15-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 15 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_server File: /Lesson-12/main.tf:45-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 45 | resource "aws_instance" "my_server" { 46 | ami = data.aws_ami.latest_amazon_linux.id 47 | instance_type = var.instance_type 48 | vpc_security_group_ids = [aws_security_group.my_server.id] 49 | monitoring = var.enable_detailed_monitoring 50 | 51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" }) 52 | 53 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_server File: /Lesson-12/main.tf:45-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 45 | resource "aws_instance" "my_server" { 46 | ami = data.aws_ami.latest_amazon_linux.id 47 | instance_type = var.instance_type 48 | vpc_security_group_ids = [aws_security_group.my_server.id] 49 | monitoring = var.enable_detailed_monitoring 50 | 51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" }) 52 | 53 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_server File: /Lesson-12/main.tf:45-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 45 | resource "aws_instance" "my_server" { 46 | ami = data.aws_ami.latest_amazon_linux.id 47 | instance_type = var.instance_type 48 | vpc_security_group_ids = [aws_security_group.my_server.id] 49 | monitoring = var.enable_detailed_monitoring 50 | 51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" }) 52 | 53 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_server File: /Lesson-12/main.tf:45-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 45 | resource "aws_instance" "my_server" { 46 | ami = data.aws_ami.latest_amazon_linux.id 47 | instance_type = var.instance_type 48 | vpc_security_group_ids = [aws_security_group.my_server.id] 49 | monitoring = var.enable_detailed_monitoring 50 | 51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" }) 52 | 53 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.my_server File: /Lesson-12/main.tf:56-78 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 56 | resource "aws_security_group" "my_server" { 57 | name = "My Security Group" 58 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 59 | 60 | dynamic "ingress" { 61 | for_each = var.allow_ports 62 | content { 63 | from_port = ingress.value 64 | to_port = ingress.value 65 | protocol = "tcp" 66 | cidr_blocks = ["0.0.0.0/0"] 67 | } 68 | } 69 | egress { 70 | from_port = 0 71 | to_port = 0 72 | protocol = "-1" 73 | cidr_blocks = ["0.0.0.0/0"] 74 | } 75 | 76 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server SecurityGroup" }) 77 | 78 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-13/main.tf:15-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 15 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_server File: /Lesson-13/main.tf:45-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 45 | resource "aws_instance" "my_server" { 46 | ami = data.aws_ami.latest_amazon_linux.id 47 | instance_type = var.instance_type 48 | vpc_security_group_ids = [aws_security_group.my_server.id] 49 | monitoring = var.enable_detailed_monitoring 50 | 51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" }) 52 | 53 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_server File: /Lesson-13/main.tf:45-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 45 | resource "aws_instance" "my_server" { 46 | ami = data.aws_ami.latest_amazon_linux.id 47 | instance_type = var.instance_type 48 | vpc_security_group_ids = [aws_security_group.my_server.id] 49 | monitoring = var.enable_detailed_monitoring 50 | 51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" }) 52 | 53 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_server File: /Lesson-13/main.tf:45-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 45 | resource "aws_instance" "my_server" { 46 | ami = data.aws_ami.latest_amazon_linux.id 47 | instance_type = var.instance_type 48 | vpc_security_group_ids = [aws_security_group.my_server.id] 49 | monitoring = var.enable_detailed_monitoring 50 | 51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" }) 52 | 53 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_server File: /Lesson-13/main.tf:45-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 45 | resource "aws_instance" "my_server" { 46 | ami = data.aws_ami.latest_amazon_linux.id 47 | instance_type = var.instance_type 48 | vpc_security_group_ids = [aws_security_group.my_server.id] 49 | monitoring = var.enable_detailed_monitoring 50 | 51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" }) 52 | 53 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.my_server File: /Lesson-13/main.tf:56-78 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 56 | resource "aws_security_group" "my_server" { 57 | name = "My Security Group" 58 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 59 | 60 | dynamic "ingress" { 61 | for_each = var.allow_ports 62 | content { 63 | from_port = ingress.value 64 | to_port = ingress.value 65 | protocol = "tcp" 66 | cidr_blocks = ["0.0.0.0/0"] 67 | } 68 | } 69 | egress { 70 | from_port = 0 71 | to_port = 0 72 | protocol = "-1" 73 | cidr_blocks = ["0.0.0.0/0"] 74 | } 75 | 76 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server SecurityGroup" }) 77 | 78 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.myserver File: /Lesson-15/main.tf:50-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 50 | resource "aws_instance" "myserver" { 51 | ami = "ami-08a9b721ecc5b0a53" 52 | instance_type = "t3.micro" 53 | provisioner "local-exec" { 54 | command = "echo Hello from AWS Instance Creations!" 55 | } 56 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.myserver File: /Lesson-15/main.tf:50-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 50 | resource "aws_instance" "myserver" { 51 | ami = "ami-08a9b721ecc5b0a53" 52 | instance_type = "t3.micro" 53 | provisioner "local-exec" { 54 | command = "echo Hello from AWS Instance Creations!" 55 | } 56 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.myserver File: /Lesson-15/main.tf:50-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 50 | resource "aws_instance" "myserver" { 51 | ami = "ami-08a9b721ecc5b0a53" 52 | instance_type = "t3.micro" 53 | provisioner "local-exec" { 54 | command = "echo Hello from AWS Instance Creations!" 55 | } 56 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.myserver File: /Lesson-15/main.tf:50-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 50 | resource "aws_instance" "myserver" { 51 | ami = "ami-08a9b721ecc5b0a53" 52 | instance_type = "t3.micro" 53 | provisioner "local-exec" { 54 | command = "echo Hello from AWS Instance Creations!" 55 | } 56 | } Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK" FAILED for resource: aws_ssm_parameter.rds_password File: /Lesson-16/main.tf:28-33 28 | resource "aws_ssm_parameter" "rds_password" { 29 | name = "/prod/mysql" 30 | description = "Master Password for RDS MySQL" 31 | type = "SecureString" 32 | value = random_string.rds_password.result 33 | } Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" FAILED for resource: aws_db_instance.default File: /Lesson-16/main.tf:43-56 43 | resource "aws_db_instance" "default" { 44 | identifier = "prod-rds" 45 | allocated_storage = 20 46 | storage_type = "gp2" 47 | engine = "mysql" 48 | engine_version = "5.7" 49 | instance_class = "db.t2.micro" 50 | name = "prod" 51 | username = "administrator" 52 | password = data.aws_ssm_parameter.my_rds_password.value 53 | parameter_group_name = "default.mysql5.7" 54 | skip_final_snapshot = true 55 | apply_immediately = true 56 | } Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" FAILED for resource: aws_db_instance.default File: /Lesson-16/main.tf:43-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html 43 | resource "aws_db_instance" "default" { 44 | identifier = "prod-rds" 45 | allocated_storage = 20 46 | storage_type = "gp2" 47 | engine = "mysql" 48 | engine_version = "5.7" 49 | instance_class = "db.t2.micro" 50 | name = "prod" 51 | username = "administrator" 52 | password = data.aws_ssm_parameter.my_rds_password.value 53 | parameter_group_name = "default.mysql5.7" 54 | skip_final_snapshot = true 55 | apply_immediately = true 56 | } Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled" FAILED for resource: aws_db_instance.default File: /Lesson-16/main.tf:43-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html 43 | resource "aws_db_instance" "default" { 44 | identifier = "prod-rds" 45 | allocated_storage = 20 46 | storage_type = "gp2" 47 | engine = "mysql" 48 | engine_version = "5.7" 49 | instance_class = "db.t2.micro" 50 | name = "prod" 51 | username = "administrator" 52 | password = data.aws_ssm_parameter.my_rds_password.value 53 | parameter_group_name = "default.mysql5.7" 54 | skip_final_snapshot = true 55 | apply_immediately = true 56 | } Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically" FAILED for resource: aws_db_instance.default File: /Lesson-16/main.tf:43-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html 43 | resource "aws_db_instance" "default" { 44 | identifier = "prod-rds" 45 | allocated_storage = 20 46 | storage_type = "gp2" 47 | engine = "mysql" 48 | engine_version = "5.7" 49 | instance_class = "db.t2.micro" 50 | name = "prod" 51 | username = "administrator" 52 | password = data.aws_ssm_parameter.my_rds_password.value 53 | parameter_group_name = "default.mysql5.7" 54 | skip_final_snapshot = true 55 | apply_immediately = true 56 | } Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" FAILED for resource: aws_db_instance.default File: /Lesson-16/main.tf:43-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html 43 | resource "aws_db_instance" "default" { 44 | identifier = "prod-rds" 45 | allocated_storage = 20 46 | storage_type = "gp2" 47 | engine = "mysql" 48 | engine_version = "5.7" 49 | instance_class = "db.t2.micro" 50 | name = "prod" 51 | username = "administrator" 52 | password = data.aws_ssm_parameter.my_rds_password.value 53 | parameter_group_name = "default.mysql5.7" 54 | skip_final_snapshot = true 55 | apply_immediately = true 56 | } Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs" FAILED for resource: aws_db_instance.default File: /Lesson-16/main.tf:43-56 43 | resource "aws_db_instance" "default" { 44 | identifier = "prod-rds" 45 | allocated_storage = 20 46 | storage_type = "gp2" 47 | engine = "mysql" 48 | engine_version = "5.7" 49 | instance_class = "db.t2.micro" 50 | name = "prod" 51 | username = "administrator" 52 | password = data.aws_ssm_parameter.my_rds_password.value 53 | parameter_group_name = "default.mysql5.7" 54 | skip_final_snapshot = true 55 | apply_immediately = true 56 | } Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled" FAILED for resource: aws_db_instance.default File: /Lesson-16/main.tf:43-56 43 | resource "aws_db_instance" "default" { 44 | identifier = "prod-rds" 45 | allocated_storage = 20 46 | storage_type = "gp2" 47 | engine = "mysql" 48 | engine_version = "5.7" 49 | instance_class = "db.t2.micro" 50 | name = "prod" 51 | username = "administrator" 52 | password = data.aws_ssm_parameter.my_rds_password.value 53 | parameter_group_name = "default.mysql5.7" 54 | skip_final_snapshot = true 55 | apply_immediately = true 56 | } Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest" FAILED for resource: aws_db_instance.default File: /Lesson-16/main.tf:43-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html 43 | resource "aws_db_instance" "default" { 44 | identifier = "prod-rds" 45 | allocated_storage = 20 46 | storage_type = "gp2" 47 | engine = "mysql" 48 | engine_version = "5.7" 49 | instance_class = "db.t2.micro" 50 | name = "prod" 51 | username = "administrator" 52 | password = data.aws_ssm_parameter.my_rds_password.value 53 | parameter_group_name = "default.mysql5.7" 54 | skip_final_snapshot = true 55 | apply_immediately = true 56 | } Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled" FAILED for resource: aws_db_instance.default File: /Lesson-16/main.tf:43-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html 43 | resource "aws_db_instance" "default" { 44 | identifier = "prod-rds" 45 | allocated_storage = 20 46 | storage_type = "gp2" 47 | engine = "mysql" 48 | engine_version = "5.7" 49 | instance_class = "db.t2.micro" 50 | name = "prod" 51 | username = "administrator" 52 | password = data.aws_ssm_parameter.my_rds_password.value 53 | parameter_group_name = "default.mysql5.7" 54 | skip_final_snapshot = true 55 | apply_immediately = true 56 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-17/main.tf:13-13 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 13 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_webserver1 File: /Lesson-17/main.tf:16-25 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 16 | resource "aws_instance" "my_webserver1" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | //instance_type = (var.env == "prod" ? "t2.large" : "t2.micro") 19 | instance_type = var.env == "prod" ? var.ec2_size["prod"] : var.ec2_size["dev"] 20 | 21 | tags = { 22 | Name = "${var.env}-server" 23 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner 24 | } 25 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_webserver1 File: /Lesson-17/main.tf:16-25 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 16 | resource "aws_instance" "my_webserver1" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | //instance_type = (var.env == "prod" ? "t2.large" : "t2.micro") 19 | instance_type = var.env == "prod" ? var.ec2_size["prod"] : var.ec2_size["dev"] 20 | 21 | tags = { 22 | Name = "${var.env}-server" 23 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner 24 | } 25 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_webserver1 File: /Lesson-17/main.tf:16-25 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 16 | resource "aws_instance" "my_webserver1" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | //instance_type = (var.env == "prod" ? "t2.large" : "t2.micro") 19 | instance_type = var.env == "prod" ? var.ec2_size["prod"] : var.ec2_size["dev"] 20 | 21 | tags = { 22 | Name = "${var.env}-server" 23 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner 24 | } 25 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_webserver1 File: /Lesson-17/main.tf:16-25 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 16 | resource "aws_instance" "my_webserver1" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | //instance_type = (var.env == "prod" ? "t2.large" : "t2.micro") 19 | instance_type = var.env == "prod" ? var.ec2_size["prod"] : var.ec2_size["dev"] 20 | 21 | tags = { 22 | Name = "${var.env}-server" 23 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner 24 | } 25 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_webserver2 File: /Lesson-17/main.tf:28-36 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 28 | resource "aws_instance" "my_webserver2" { 29 | ami = "ami-03a71cec707bfc3d7" 30 | instance_type = lookup(var.ec2_size, var.env) 31 | 32 | tags = { 33 | Name = "${var.env}-server" 34 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner 35 | } 36 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_webserver2 File: /Lesson-17/main.tf:28-36 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 28 | resource "aws_instance" "my_webserver2" { 29 | ami = "ami-03a71cec707bfc3d7" 30 | instance_type = lookup(var.ec2_size, var.env) 31 | 32 | tags = { 33 | Name = "${var.env}-server" 34 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner 35 | } 36 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_webserver2 File: /Lesson-17/main.tf:28-36 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 28 | resource "aws_instance" "my_webserver2" { 29 | ami = "ami-03a71cec707bfc3d7" 30 | instance_type = lookup(var.ec2_size, var.env) 31 | 32 | tags = { 33 | Name = "${var.env}-server" 34 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner 35 | } 36 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_webserver2 File: /Lesson-17/main.tf:28-36 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 28 | resource "aws_instance" "my_webserver2" { 29 | ami = "ami-03a71cec707bfc3d7" 30 | instance_type = lookup(var.ec2_size, var.env) 31 | 32 | tags = { 33 | Name = "${var.env}-server" 34 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner 35 | } 36 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_dev_bastion File: /Lesson-17/main.tf:40-48 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 40 | resource "aws_instance" "my_dev_bastion" { 41 | count = var.env == "dev" ? 1 : 0 42 | ami = "ami-03a71cec707bfc3d7" 43 | instance_type = "t2.micro" 44 | 45 | tags = { 46 | Name = "Bastion Server for Dev-server" 47 | } 48 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_dev_bastion File: /Lesson-17/main.tf:40-48 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 40 | resource "aws_instance" "my_dev_bastion" { 41 | count = var.env == "dev" ? 1 : 0 42 | ami = "ami-03a71cec707bfc3d7" 43 | instance_type = "t2.micro" 44 | 45 | tags = { 46 | Name = "Bastion Server for Dev-server" 47 | } 48 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_dev_bastion File: /Lesson-17/main.tf:40-48 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 40 | resource "aws_instance" "my_dev_bastion" { 41 | count = var.env == "dev" ? 1 : 0 42 | ami = "ami-03a71cec707bfc3d7" 43 | instance_type = "t2.micro" 44 | 45 | tags = { 46 | Name = "Bastion Server for Dev-server" 47 | } 48 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_dev_bastion File: /Lesson-17/main.tf:40-48 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 40 | resource "aws_instance" "my_dev_bastion" { 41 | count = var.env == "dev" ? 1 : 0 42 | ami = "ami-03a71cec707bfc3d7" 43 | instance_type = "t2.micro" 44 | 45 | tags = { 46 | Name = "Bastion Server for Dev-server" 47 | } 48 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.my_webserver File: /Lesson-17/main.tf:52-76 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 52 | resource "aws_security_group" "my_webserver" { 53 | name = "Dynamic Security Group" 54 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 55 | 56 | dynamic "ingress" { 57 | for_each = lookup(var.allow_port_list, var.env) 58 | content { 59 | from_port = ingress.value 60 | to_port = ingress.value 61 | protocol = "tcp" 62 | cidr_blocks = ["0.0.0.0/0"] 63 | } 64 | } 65 | egress { 66 | from_port = 0 67 | to_port = 0 68 | protocol = "-1" 69 | cidr_blocks = ["0.0.0.0/0"] 70 | } 71 | 72 | tags = { 73 | Name = "Dynamic SecurityGroup" 74 | Owner = "Denis Astahov" 75 | } 76 | } Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.user1 File: /Lesson-18/main.tf:13-15 13 | resource "aws_iam_user" "user1" { 14 | name = "pushkin" 15 | } Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.users[0] File: /Lesson-18/main.tf:17-20 17 | resource "aws_iam_user" "users" { 18 | count = length(var.aws_users) 19 | name = element(var.aws_users, count.index) 20 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.servers[0] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.servers[0] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.servers[0] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.servers[0] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.users[1] File: /Lesson-18/main.tf:17-20 17 | resource "aws_iam_user" "users" { 18 | count = length(var.aws_users) 19 | name = element(var.aws_users, count.index) 20 | } Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.users[2] File: /Lesson-18/main.tf:17-20 17 | resource "aws_iam_user" "users" { 18 | count = length(var.aws_users) 19 | name = element(var.aws_users, count.index) 20 | } Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.users[3] File: /Lesson-18/main.tf:17-20 17 | resource "aws_iam_user" "users" { 18 | count = length(var.aws_users) 19 | name = element(var.aws_users, count.index) 20 | } Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.users[4] File: /Lesson-18/main.tf:17-20 17 | resource "aws_iam_user" "users" { 18 | count = length(var.aws_users) 19 | name = element(var.aws_users, count.index) 20 | } Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.users[5] File: /Lesson-18/main.tf:17-20 17 | resource "aws_iam_user" "users" { 18 | count = length(var.aws_users) 19 | name = element(var.aws_users, count.index) 20 | } Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.users[6] File: /Lesson-18/main.tf:17-20 17 | resource "aws_iam_user" "users" { 18 | count = length(var.aws_users) 19 | name = element(var.aws_users, count.index) 20 | } Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users" FAILED for resource: aws_iam_user.users[7] File: /Lesson-18/main.tf:17-20 17 | resource "aws_iam_user" "users" { 18 | count = length(var.aws_users) 19 | name = element(var.aws_users, count.index) 20 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.servers[1] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.servers[1] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.servers[1] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.servers[1] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.servers[2] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.servers[2] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.servers[2] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.servers[2] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_default_server File: /Lesson-19/main.tf:67-73 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 67 | resource "aws_instance" "my_default_server" { 68 | instance_type = "t3.micro" 69 | ami = data.aws_ami.defaut_latest_ubuntu.id 70 | tags = { 71 | Name = "Default Server" 72 | } 73 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_default_server File: /Lesson-19/main.tf:67-73 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 67 | resource "aws_instance" "my_default_server" { 68 | instance_type = "t3.micro" 69 | ami = data.aws_ami.defaut_latest_ubuntu.id 70 | tags = { 71 | Name = "Default Server" 72 | } 73 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_default_server File: /Lesson-19/main.tf:67-73 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 67 | resource "aws_instance" "my_default_server" { 68 | instance_type = "t3.micro" 69 | ami = data.aws_ami.defaut_latest_ubuntu.id 70 | tags = { 71 | Name = "Default Server" 72 | } 73 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_default_server File: /Lesson-19/main.tf:67-73 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 67 | resource "aws_instance" "my_default_server" { 68 | instance_type = "t3.micro" 69 | ami = data.aws_ami.defaut_latest_ubuntu.id 70 | tags = { 71 | Name = "Default Server" 72 | } 73 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_usa_server File: /Lesson-19/main.tf:75-82 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 75 | resource "aws_instance" "my_usa_server" { 76 | provider = aws.USA 77 | instance_type = "t3.micro" 78 | ami = data.aws_ami.usa_latest_ubuntu.id 79 | tags = { 80 | Name = "USA Server" 81 | } 82 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_usa_server File: /Lesson-19/main.tf:75-82 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 75 | resource "aws_instance" "my_usa_server" { 76 | provider = aws.USA 77 | instance_type = "t3.micro" 78 | ami = data.aws_ami.usa_latest_ubuntu.id 79 | tags = { 80 | Name = "USA Server" 81 | } 82 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_usa_server File: /Lesson-19/main.tf:75-82 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 75 | resource "aws_instance" "my_usa_server" { 76 | provider = aws.USA 77 | instance_type = "t3.micro" 78 | ami = data.aws_ami.usa_latest_ubuntu.id 79 | tags = { 80 | Name = "USA Server" 81 | } 82 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_usa_server File: /Lesson-19/main.tf:75-82 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 75 | resource "aws_instance" "my_usa_server" { 76 | provider = aws.USA 77 | instance_type = "t3.micro" 78 | ami = data.aws_ami.usa_latest_ubuntu.id 79 | tags = { 80 | Name = "USA Server" 81 | } 82 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.my_ger_server File: /Lesson-19/main.tf:84-91 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 84 | resource "aws_instance" "my_ger_server" { 85 | provider = aws.GER 86 | instance_type = "t3.micro" 87 | ami = data.aws_ami.ger_latest_ubuntu.id 88 | tags = { 89 | Name = "GERMANY Server" 90 | } 91 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.my_ger_server File: /Lesson-19/main.tf:84-91 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 84 | resource "aws_instance" "my_ger_server" { 85 | provider = aws.GER 86 | instance_type = "t3.micro" 87 | ami = data.aws_ami.ger_latest_ubuntu.id 88 | tags = { 89 | Name = "GERMANY Server" 90 | } 91 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.my_ger_server File: /Lesson-19/main.tf:84-91 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 84 | resource "aws_instance" "my_ger_server" { 85 | provider = aws.GER 86 | instance_type = "t3.micro" 87 | ami = data.aws_ami.ger_latest_ubuntu.id 88 | tags = { 89 | Name = "GERMANY Server" 90 | } 91 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.my_ger_server File: /Lesson-19/main.tf:84-91 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 84 | resource "aws_instance" "my_ger_server" { 85 | provider = aws.GER 86 | instance_type = "t3.micro" 87 | ami = data.aws_ami.ger_latest_ubuntu.id 88 | tags = { 89 | Name = "GERMANY Server" 90 | } 91 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: aws_subnet.public_subnets[0] File: /Lesson-20/Layer1-Network/main.tf:39-48 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 39 | resource "aws_subnet" "public_subnets" { 40 | count = length(var.public_subnet_cidrs) 41 | vpc_id = aws_vpc.main.id 42 | cidr_block = element(var.public_subnet_cidrs, count.index) 43 | availability_zone = data.aws_availability_zones.available.names[count.index] 44 | map_public_ip_on_launch = true 45 | tags = { 46 | Name = "${var.env}-puvlic-${count.index + 1}" 47 | } 48 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: aws_subnet.public_subnets[1] File: /Lesson-20/Layer1-Network/main.tf:39-48 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 39 | resource "aws_subnet" "public_subnets" { 40 | count = length(var.public_subnet_cidrs) 41 | vpc_id = aws_vpc.main.id 42 | cidr_block = element(var.public_subnet_cidrs, count.index) 43 | availability_zone = data.aws_availability_zones.available.names[count.index] 44 | map_public_ip_on_launch = true 45 | tags = { 46 | Name = "${var.env}-puvlic-${count.index + 1}" 47 | } 48 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.web_server File: /Lesson-20/Layer2-Servers/main.tf:42-59 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 42 | resource "aws_instance" "web_server" { 43 | ami = data.aws_ami.latest_amazon_linux.id 44 | instance_type = "t3.micro" 45 | vpc_security_group_ids = [aws_security_group.webserver.id] 46 | subnet_id = data.terraform_remote_state.network.outputs.public_subnet_ids[0] 47 | user_data = <WebServer with IP: $myip
    Build by Terraform with Remote State" > /var/www/html/index.html 53 | sudo service httpd start 54 | chkconfig httpd on 55 | EOF 56 | tags = { 57 | Name = "${var.env}-WebServer" 58 | } 59 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.web_server File: /Lesson-20/Layer2-Servers/main.tf:42-59 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 42 | resource "aws_instance" "web_server" { 43 | ami = data.aws_ami.latest_amazon_linux.id 44 | instance_type = "t3.micro" 45 | vpc_security_group_ids = [aws_security_group.webserver.id] 46 | subnet_id = data.terraform_remote_state.network.outputs.public_subnet_ids[0] 47 | user_data = <WebServer with IP: $myip
    Build by Terraform with Remote State" > /var/www/html/index.html 53 | sudo service httpd start 54 | chkconfig httpd on 55 | EOF 56 | tags = { 57 | Name = "${var.env}-WebServer" 58 | } 59 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.web_server File: /Lesson-20/Layer2-Servers/main.tf:42-59 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 42 | resource "aws_instance" "web_server" { 43 | ami = data.aws_ami.latest_amazon_linux.id 44 | instance_type = "t3.micro" 45 | vpc_security_group_ids = [aws_security_group.webserver.id] 46 | subnet_id = data.terraform_remote_state.network.outputs.public_subnet_ids[0] 47 | user_data = <WebServer with IP: $myip
    Build by Terraform with Remote State" > /var/www/html/index.html 53 | sudo service httpd start 54 | chkconfig httpd on 55 | EOF 56 | tags = { 57 | Name = "${var.env}-WebServer" 58 | } 59 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.web_server File: /Lesson-20/Layer2-Servers/main.tf:42-59 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 42 | resource "aws_instance" "web_server" { 43 | ami = data.aws_ami.latest_amazon_linux.id 44 | instance_type = "t3.micro" 45 | vpc_security_group_ids = [aws_security_group.webserver.id] 46 | subnet_id = data.terraform_remote_state.network.outputs.public_subnet_ids[0] 47 | user_data = <WebServer with IP: $myip
    Build by Terraform with Remote State" > /var/www/html/index.html 53 | sudo service httpd start 54 | chkconfig httpd on 55 | EOF 56 | tags = { 57 | Name = "${var.env}-WebServer" 58 | } 59 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.webserver File: /Lesson-20/Layer2-Servers/main.tf:61-89 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 61 | resource "aws_security_group" "webserver" { 62 | name = "WebServer Security Group" 63 | vpc_id = data.terraform_remote_state.network.outputs.vpc_id 64 | 65 | ingress { 66 | from_port = 80 67 | to_port = 80 68 | protocol = "tcp" 69 | cidr_blocks = ["0.0.0.0/0"] 70 | } 71 | 72 | ingress { 73 | from_port = 22 74 | to_port = 22 75 | protocol = "tcp" 76 | cidr_blocks = [data.terraform_remote_state.network.outputs.vpc_cidr] 77 | } 78 | egress { 79 | from_port = 0 80 | to_port = 0 81 | protocol = "-1" 82 | cidr_blocks = ["0.0.0.0/0"] 83 | } 84 | 85 | tags = { 86 | Name = "${var.env}-web-server-sg" 87 | Owner = "Denis Astahov" 88 | } 89 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_security_group.webserver File: /Lesson-20/Layer2-Servers/main.tf:61-89 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html 61 | resource "aws_security_group" "webserver" { 62 | name = "WebServer Security Group" 63 | vpc_id = data.terraform_remote_state.network.outputs.vpc_id 64 | 65 | ingress { 66 | from_port = 80 67 | to_port = 80 68 | protocol = "tcp" 69 | cidr_blocks = ["0.0.0.0/0"] 70 | } 71 | 72 | ingress { 73 | from_port = 22 74 | to_port = 22 75 | protocol = "tcp" 76 | cidr_blocks = [data.terraform_remote_state.network.outputs.vpc_cidr] 77 | } 78 | egress { 79 | from_port = 0 80 | to_port = 0 81 | protocol = "-1" 82 | cidr_blocks = ["0.0.0.0/0"] 83 | } 84 | 85 | tags = { 86 | Name = "${var.env}-web-server-sg" 87 | Owner = "Denis Astahov" 88 | } 89 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: module.vpc-default.aws_subnet.public_subnets[0] File: /Lesson-21/modules/aws_network/main.tf:32-41 Calling File: /Lesson-21/projectA/main.tf:12-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 32 | resource "aws_subnet" "public_subnets" { 33 | count = length(var.public_subnet_cidrs) 34 | vpc_id = aws_vpc.main.id 35 | cidr_block = element(var.public_subnet_cidrs, count.index) 36 | availability_zone = data.aws_availability_zones.available.names[count.index] 37 | map_public_ip_on_launch = true 38 | tags = { 39 | Name = "${var.env}-public-${count.index + 1}" 40 | } 41 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: module.vpc-default.aws_subnet.public_subnets[1] File: /Lesson-21/modules/aws_network/main.tf:32-41 Calling File: /Lesson-21/projectA/main.tf:12-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 32 | resource "aws_subnet" "public_subnets" { 33 | count = length(var.public_subnet_cidrs) 34 | vpc_id = aws_vpc.main.id 35 | cidr_block = element(var.public_subnet_cidrs, count.index) 36 | availability_zone = data.aws_availability_zones.available.names[count.index] 37 | map_public_ip_on_launch = true 38 | tags = { 39 | Name = "${var.env}-public-${count.index + 1}" 40 | } 41 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: module.vpc-default.aws_subnet.public_subnets[2] File: /Lesson-21/modules/aws_network/main.tf:32-41 Calling File: /Lesson-21/projectA/main.tf:12-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 32 | resource "aws_subnet" "public_subnets" { 33 | count = length(var.public_subnet_cidrs) 34 | vpc_id = aws_vpc.main.id 35 | cidr_block = element(var.public_subnet_cidrs, count.index) 36 | availability_zone = data.aws_availability_zones.available.names[count.index] 37 | map_public_ip_on_launch = true 38 | tags = { 39 | Name = "${var.env}-public-${count.index + 1}" 40 | } 41 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: module.vpc-dev.aws_subnet.public_subnets[0] File: /Lesson-21/modules/aws_network/main.tf:32-41 Calling File: /Lesson-21/projectA/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 32 | resource "aws_subnet" "public_subnets" { 33 | count = length(var.public_subnet_cidrs) 34 | vpc_id = aws_vpc.main.id 35 | cidr_block = element(var.public_subnet_cidrs, count.index) 36 | availability_zone = data.aws_availability_zones.available.names[count.index] 37 | map_public_ip_on_launch = true 38 | tags = { 39 | Name = "${var.env}-public-${count.index + 1}" 40 | } 41 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: module.vpc-dev.aws_subnet.public_subnets[1] File: /Lesson-21/modules/aws_network/main.tf:32-41 Calling File: /Lesson-21/projectA/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 32 | resource "aws_subnet" "public_subnets" { 33 | count = length(var.public_subnet_cidrs) 34 | vpc_id = aws_vpc.main.id 35 | cidr_block = element(var.public_subnet_cidrs, count.index) 36 | availability_zone = data.aws_availability_zones.available.names[count.index] 37 | map_public_ip_on_launch = true 38 | tags = { 39 | Name = "${var.env}-public-${count.index + 1}" 40 | } 41 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: module.vpc-prod.aws_subnet.public_subnets[0] File: /Lesson-21/modules/aws_network/main.tf:32-41 Calling File: /Lesson-21/projectA/main.tf:26-33 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 32 | resource "aws_subnet" "public_subnets" { 33 | count = length(var.public_subnet_cidrs) 34 | vpc_id = aws_vpc.main.id 35 | cidr_block = element(var.public_subnet_cidrs, count.index) 36 | availability_zone = data.aws_availability_zones.available.names[count.index] 37 | map_public_ip_on_launch = true 38 | tags = { 39 | Name = "${var.env}-public-${count.index + 1}" 40 | } 41 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: module.vpc-prod.aws_subnet.public_subnets[1] File: /Lesson-21/modules/aws_network/main.tf:32-41 Calling File: /Lesson-21/projectA/main.tf:26-33 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 32 | resource "aws_subnet" "public_subnets" { 33 | count = length(var.public_subnet_cidrs) 34 | vpc_id = aws_vpc.main.id 35 | cidr_block = element(var.public_subnet_cidrs, count.index) 36 | availability_zone = data.aws_availability_zones.available.names[count.index] 37 | map_public_ip_on_launch = true 38 | tags = { 39 | Name = "${var.env}-public-${count.index + 1}" 40 | } 41 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: module.vpc-prod.aws_subnet.public_subnets[2] File: /Lesson-21/modules/aws_network/main.tf:32-41 Calling File: /Lesson-21/projectA/main.tf:26-33 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 32 | resource "aws_subnet" "public_subnets" { 33 | count = length(var.public_subnet_cidrs) 34 | vpc_id = aws_vpc.main.id 35 | cidr_block = element(var.public_subnet_cidrs, count.index) 36 | availability_zone = data.aws_availability_zones.available.names[count.index] 37 | map_public_ip_on_launch = true 38 | tags = { 39 | Name = "${var.env}-public-${count.index + 1}" 40 | } 41 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: module.vpc-test.aws_subnet.public_subnets[0] File: /Lesson-21/modules/aws_network/main.tf:32-41 Calling File: /Lesson-21/projectA/main.tf:35-42 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 32 | resource "aws_subnet" "public_subnets" { 33 | count = length(var.public_subnet_cidrs) 34 | vpc_id = aws_vpc.main.id 35 | cidr_block = element(var.public_subnet_cidrs, count.index) 36 | availability_zone = data.aws_availability_zones.available.names[count.index] 37 | map_public_ip_on_launch = true 38 | tags = { 39 | Name = "${var.env}-public-${count.index + 1}" 40 | } 41 | } Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default" FAILED for resource: module.vpc-test.aws_subnet.public_subnets[1] File: /Lesson-21/modules/aws_network/main.tf:32-41 Calling File: /Lesson-21/projectA/main.tf:35-42 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html 32 | resource "aws_subnet" "public_subnets" { 33 | count = length(var.public_subnet_cidrs) 34 | vpc_id = aws_vpc.main.id 35 | cidr_block = element(var.public_subnet_cidrs, count.index) 36 | availability_zone = data.aws_availability_zones.available.names[count.index] 37 | map_public_ip_on_launch = true 38 | tags = { 39 | Name = "${var.env}-public-${count.index + 1}" 40 | } 41 | } Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled" FAILED for resource: google_compute_instance.my_server File: /Lesson-24/main.tf:18-30 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html 18 | resource "google_compute_instance" "my_server" { 19 | name = "my-gcp-server" 20 | machine_type = "f1-micro" 21 | boot_disk { 22 | initialize_params { 23 | image = "debian-cloud/debian-9" 24 | } 25 | } 26 | 27 | network_interface { 28 | network = "default" 29 | } 30 | } Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances" FAILED for resource: google_compute_instance.my_server File: /Lesson-24/main.tf:18-30 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html 18 | resource "google_compute_instance" "my_server" { 19 | name = "my-gcp-server" 20 | machine_type = "f1-micro" 21 | boot_disk { 22 | initialize_params { 23 | image = "debian-cloud/debian-9" 24 | } 25 | } 26 | 27 | network_interface { 28 | network = "default" 29 | } 30 | } Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)" FAILED for resource: google_compute_instance.my_server File: /Lesson-24/main.tf:18-30 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html 18 | resource "google_compute_instance" "my_server" { 19 | name = "my-gcp-server" 20 | machine_type = "f1-micro" 21 | boot_disk { 22 | initialize_params { 23 | image = "debian-cloud/debian-9" 24 | } 25 | } 26 | 27 | network_interface { 28 | network = "default" 29 | } 30 | } Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account" FAILED for resource: google_compute_instance.my_server File: /Lesson-24/main.tf:18-30 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html 18 | resource "google_compute_instance" "my_server" { 19 | name = "my-gcp-server" 20 | machine_type = "f1-micro" 21 | boot_disk { 22 | initialize_params { 23 | image = "debian-cloud/debian-9" 24 | } 25 | } 26 | 27 | network_interface { 28 | network = "default" 29 | } 30 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node1 File: /Lesson-26/import-begin.tf:6-8 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 6 | resource "aws_instance" "node1" { 7 | 8 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node1 File: /Lesson-26/import-begin.tf:6-8 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 6 | resource "aws_instance" "node1" { 7 | 8 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node1 File: /Lesson-26/import-begin.tf:6-8 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 6 | resource "aws_instance" "node1" { 7 | 8 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.node1 File: /Lesson-26/import-begin.tf:6-8 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 6 | resource "aws_instance" "node1" { 7 | 8 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node2 File: /Lesson-26/import-begin.tf:10-12 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 10 | resource "aws_instance" "node2" { 11 | 12 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node2 File: /Lesson-26/import-begin.tf:10-12 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 10 | resource "aws_instance" "node2" { 11 | 12 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node2 File: /Lesson-26/import-begin.tf:10-12 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 10 | resource "aws_instance" "node2" { 11 | 12 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.node2 File: /Lesson-26/import-begin.tf:10-12 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 10 | resource "aws_instance" "node2" { 11 | 12 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node3 File: /Lesson-26/import-begin.tf:14-16 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 14 | resource "aws_instance" "node3" { 15 | 16 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node3 File: /Lesson-26/import-begin.tf:14-16 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 14 | resource "aws_instance" "node3" { 15 | 16 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node3 File: /Lesson-26/import-begin.tf:14-16 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 14 | resource "aws_instance" "node3" { 15 | 16 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.node3 File: /Lesson-26/import-begin.tf:14-16 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 14 | resource "aws_instance" "node3" { 15 | 16 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.nomad File: /Lesson-26/import-begin.tf:18-20 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 18 | resource "aws_security_group" "nomad" { 19 | 20 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node1 File: /Lesson-26/import-finish.tf:1-10 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 1 | resource "aws_instance" "node1" { 2 | ami = "ami-0a634ae95e11c6f91" 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.nomad.id] 5 | ebs_optimized = true 6 | tags = { 7 | Name = "Nomad Ubuntu Node-1" 8 | Owner = "Denis Astahov" 9 | } 10 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node1 File: /Lesson-26/import-finish.tf:1-10 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 1 | resource "aws_instance" "node1" { 2 | ami = "ami-0a634ae95e11c6f91" 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.nomad.id] 5 | ebs_optimized = true 6 | tags = { 7 | Name = "Nomad Ubuntu Node-1" 8 | Owner = "Denis Astahov" 9 | } 10 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node1 File: /Lesson-26/import-finish.tf:1-10 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 1 | resource "aws_instance" "node1" { 2 | ami = "ami-0a634ae95e11c6f91" 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.nomad.id] 5 | ebs_optimized = true 6 | tags = { 7 | Name = "Nomad Ubuntu Node-1" 8 | Owner = "Denis Astahov" 9 | } 10 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node2 File: /Lesson-26/import-finish.tf:12-21 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 12 | resource "aws_instance" "node2" { 13 | ami = "ami-0a634ae95e11c6f91" 14 | instance_type = "t3.micro" 15 | vpc_security_group_ids = [aws_security_group.nomad.id] 16 | ebs_optimized = true 17 | tags = { 18 | Name = "Nomad Ubuntu Node-2" 19 | Owner = "Denis Astahov" 20 | } 21 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node2 File: /Lesson-26/import-finish.tf:12-21 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 12 | resource "aws_instance" "node2" { 13 | ami = "ami-0a634ae95e11c6f91" 14 | instance_type = "t3.micro" 15 | vpc_security_group_ids = [aws_security_group.nomad.id] 16 | ebs_optimized = true 17 | tags = { 18 | Name = "Nomad Ubuntu Node-2" 19 | Owner = "Denis Astahov" 20 | } 21 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node2 File: /Lesson-26/import-finish.tf:12-21 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 12 | resource "aws_instance" "node2" { 13 | ami = "ami-0a634ae95e11c6f91" 14 | instance_type = "t3.micro" 15 | vpc_security_group_ids = [aws_security_group.nomad.id] 16 | ebs_optimized = true 17 | tags = { 18 | Name = "Nomad Ubuntu Node-2" 19 | Owner = "Denis Astahov" 20 | } 21 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node3 File: /Lesson-26/import-finish.tf:23-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 23 | resource "aws_instance" "node3" { 24 | ami = "ami-0a634ae95e11c6f91" 25 | instance_type = "t3.micro" 26 | vpc_security_group_ids = [aws_security_group.nomad.id] 27 | ebs_optimized = true 28 | tags = { 29 | Name = "Nomad Ubuntu Node-3" 30 | Owner = "Denis Astahov" 31 | } 32 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node3 File: /Lesson-26/import-finish.tf:23-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 23 | resource "aws_instance" "node3" { 24 | ami = "ami-0a634ae95e11c6f91" 25 | instance_type = "t3.micro" 26 | vpc_security_group_ids = [aws_security_group.nomad.id] 27 | ebs_optimized = true 28 | tags = { 29 | Name = "Nomad Ubuntu Node-3" 30 | Owner = "Denis Astahov" 31 | } 32 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node3 File: /Lesson-26/import-finish.tf:23-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 23 | resource "aws_instance" "node3" { 24 | ami = "ami-0a634ae95e11c6f91" 25 | instance_type = "t3.micro" 26 | vpc_security_group_ids = [aws_security_group.nomad.id] 27 | ebs_optimized = true 28 | tags = { 29 | Name = "Nomad Ubuntu Node-3" 30 | Owner = "Denis Astahov" 31 | } 32 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-26/import-finish.tf:34-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 34 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.nomad File: /Lesson-26/import-finish.tf:35-55 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 35 | resource "aws_security_group" "nomad" { 36 | description = "Nomad" 37 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 38 | 39 | ingress { 40 | from_port = 0 41 | to_port = 65535 42 | protocol = "tcp" 43 | cidr_blocks = ["0.0.0.0/0"] 44 | } 45 | egress { 46 | from_port = 0 47 | to_port = 0 48 | protocol = "-1" 49 | cidr_blocks = ["0.0.0.0/0"] 50 | } 51 | tags = { 52 | Name = "Nomad Cluster" 53 | Owner = "Denis Astahov" 54 | } 55 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_security_group.nomad File: /Lesson-26/import-finish.tf:35-55 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html 35 | resource "aws_security_group" "nomad" { 36 | description = "Nomad" 37 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 38 | 39 | ingress { 40 | from_port = 0 41 | to_port = 65535 42 | protocol = "tcp" 43 | cidr_blocks = ["0.0.0.0/0"] 44 | } 45 | egress { 46 | from_port = 0 47 | to_port = 0 48 | protocol = "-1" 49 | cidr_blocks = ["0.0.0.0/0"] 50 | } 51 | tags = { 52 | Name = "Nomad Cluster" 53 | Owner = "Denis Astahov" 54 | } 55 | } Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389" FAILED for resource: aws_security_group.nomad File: /Lesson-26/import-finish.tf:35-55 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-2.html 35 | resource "aws_security_group" "nomad" { 36 | description = "Nomad" 37 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 38 | 39 | ingress { 40 | from_port = 0 41 | to_port = 65535 42 | protocol = "tcp" 43 | cidr_blocks = ["0.0.0.0/0"] 44 | } 45 | egress { 46 | from_port = 0 47 | to_port = 0 48 | protocol = "-1" 49 | cidr_blocks = ["0.0.0.0/0"] 50 | } 51 | tags = { 52 | Name = "Nomad Cluster" 53 | Owner = "Denis Astahov" 54 | } 55 | } Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22" FAILED for resource: aws_security_group.nomad File: /Lesson-26/import-finish.tf:35-55 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html 35 | resource "aws_security_group" "nomad" { 36 | description = "Nomad" 37 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 38 | 39 | ingress { 40 | from_port = 0 41 | to_port = 65535 42 | protocol = "tcp" 43 | cidr_blocks = ["0.0.0.0/0"] 44 | } 45 | egress { 46 | from_port = 0 47 | to_port = 0 48 | protocol = "-1" 49 | cidr_blocks = ["0.0.0.0/0"] 50 | } 51 | tags = { 52 | Name = "Nomad Cluster" 53 | Owner = "Denis Astahov" 54 | } 55 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node1 File: /Lesson-27-v0.15.2+/main.tf:8-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 8 | resource "aws_instance" "node1" { 9 | ami = "ami-05655c267c89566dd" 10 | instance_type = "t3.micro" 11 | tags = { 12 | Name = "Node-1" 13 | Owner = "Denis Astahov" 14 | } 15 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node1 File: /Lesson-27-v0.15.2+/main.tf:8-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 8 | resource "aws_instance" "node1" { 9 | ami = "ami-05655c267c89566dd" 10 | instance_type = "t3.micro" 11 | tags = { 12 | Name = "Node-1" 13 | Owner = "Denis Astahov" 14 | } 15 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node1 File: /Lesson-27-v0.15.2+/main.tf:8-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 8 | resource "aws_instance" "node1" { 9 | ami = "ami-05655c267c89566dd" 10 | instance_type = "t3.micro" 11 | tags = { 12 | Name = "Node-1" 13 | Owner = "Denis Astahov" 14 | } 15 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.node1 File: /Lesson-27-v0.15.2+/main.tf:8-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 8 | resource "aws_instance" "node1" { 9 | ami = "ami-05655c267c89566dd" 10 | instance_type = "t3.micro" 11 | tags = { 12 | Name = "Node-1" 13 | Owner = "Denis Astahov" 14 | } 15 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node2 File: /Lesson-27-v0.15.2+/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 17 | resource "aws_instance" "node2" { 18 | ami = "ami-05655c267c89566dd" 19 | instance_type = "t3.micro" 20 | tags = { 21 | Name = "Node-2" 22 | Owner = "Denis Astahov" 23 | } 24 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node2 File: /Lesson-27-v0.15.2+/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 17 | resource "aws_instance" "node2" { 18 | ami = "ami-05655c267c89566dd" 19 | instance_type = "t3.micro" 20 | tags = { 21 | Name = "Node-2" 22 | Owner = "Denis Astahov" 23 | } 24 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node2 File: /Lesson-27-v0.15.2+/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 17 | resource "aws_instance" "node2" { 18 | ami = "ami-05655c267c89566dd" 19 | instance_type = "t3.micro" 20 | tags = { 21 | Name = "Node-2" 22 | Owner = "Denis Astahov" 23 | } 24 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.node2 File: /Lesson-27-v0.15.2+/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 17 | resource "aws_instance" "node2" { 18 | ami = "ami-05655c267c89566dd" 19 | instance_type = "t3.micro" 20 | tags = { 21 | Name = "Node-2" 22 | Owner = "Denis Astahov" 23 | } 24 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node3 File: /Lesson-27-v0.15.2+/main.tf:26-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 26 | resource "aws_instance" "node3" { 27 | ami = "ami-05655c267c89566dd" 28 | instance_type = "t3.micro" 29 | tags = { 30 | Name = "Node-3" 31 | Owner = "Denis Astahov" 32 | } 33 | depends_on = [aws_instance.node2] 34 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node3 File: /Lesson-27-v0.15.2+/main.tf:26-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 26 | resource "aws_instance" "node3" { 27 | ami = "ami-05655c267c89566dd" 28 | instance_type = "t3.micro" 29 | tags = { 30 | Name = "Node-3" 31 | Owner = "Denis Astahov" 32 | } 33 | depends_on = [aws_instance.node2] 34 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node3 File: /Lesson-27-v0.15.2+/main.tf:26-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 26 | resource "aws_instance" "node3" { 27 | ami = "ami-05655c267c89566dd" 28 | instance_type = "t3.micro" 29 | tags = { 30 | Name = "Node-3" 31 | Owner = "Denis Astahov" 32 | } 33 | depends_on = [aws_instance.node2] 34 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.node3 File: /Lesson-27-v0.15.2+/main.tf:26-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 26 | resource "aws_instance" "node3" { 27 | ami = "ami-05655c267c89566dd" 28 | instance_type = "t3.micro" 29 | tags = { 30 | Name = "Node-3" 31 | Owner = "Denis Astahov" 32 | } 33 | depends_on = [aws_instance.node2] 34 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node1 File: /Lesson-27/main.tf:8-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 8 | resource "aws_instance" "node1" { 9 | ami = "ami-05655c267c89566dd" 10 | instance_type = "t3.micro" 11 | tags = { 12 | Name = "Node-1" 13 | Owner = "Denis Astahov" 14 | } 15 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node1 File: /Lesson-27/main.tf:8-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 8 | resource "aws_instance" "node1" { 9 | ami = "ami-05655c267c89566dd" 10 | instance_type = "t3.micro" 11 | tags = { 12 | Name = "Node-1" 13 | Owner = "Denis Astahov" 14 | } 15 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node1 File: /Lesson-27/main.tf:8-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 8 | resource "aws_instance" "node1" { 9 | ami = "ami-05655c267c89566dd" 10 | instance_type = "t3.micro" 11 | tags = { 12 | Name = "Node-1" 13 | Owner = "Denis Astahov" 14 | } 15 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.node1 File: /Lesson-27/main.tf:8-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 8 | resource "aws_instance" "node1" { 9 | ami = "ami-05655c267c89566dd" 10 | instance_type = "t3.micro" 11 | tags = { 12 | Name = "Node-1" 13 | Owner = "Denis Astahov" 14 | } 15 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node2 File: /Lesson-27/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 17 | resource "aws_instance" "node2" { 18 | ami = "ami-05655c267c89566dd" 19 | instance_type = "t3.micro" 20 | tags = { 21 | Name = "Node-2" 22 | Owner = "Denis Astahov" 23 | } 24 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node2 File: /Lesson-27/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 17 | resource "aws_instance" "node2" { 18 | ami = "ami-05655c267c89566dd" 19 | instance_type = "t3.micro" 20 | tags = { 21 | Name = "Node-2" 22 | Owner = "Denis Astahov" 23 | } 24 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node2 File: /Lesson-27/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 17 | resource "aws_instance" "node2" { 18 | ami = "ami-05655c267c89566dd" 19 | instance_type = "t3.micro" 20 | tags = { 21 | Name = "Node-2" 22 | Owner = "Denis Astahov" 23 | } 24 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.node2 File: /Lesson-27/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 17 | resource "aws_instance" "node2" { 18 | ami = "ami-05655c267c89566dd" 19 | instance_type = "t3.micro" 20 | tags = { 21 | Name = "Node-2" 22 | Owner = "Denis Astahov" 23 | } 24 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.node3 File: /Lesson-27/main.tf:26-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 26 | resource "aws_instance" "node3" { 27 | ami = "ami-05655c267c89566dd" 28 | instance_type = "t3.micro" 29 | tags = { 30 | Name = "Node-3" 31 | Owner = "Denis Astahov" 32 | } 33 | depends_on = [aws_instance.node2] 34 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.node3 File: /Lesson-27/main.tf:26-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 26 | resource "aws_instance" "node3" { 27 | ami = "ami-05655c267c89566dd" 28 | instance_type = "t3.micro" 29 | tags = { 30 | Name = "Node-3" 31 | Owner = "Denis Astahov" 32 | } 33 | depends_on = [aws_instance.node2] 34 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.node3 File: /Lesson-27/main.tf:26-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 26 | resource "aws_instance" "node3" { 27 | ami = "ami-05655c267c89566dd" 28 | instance_type = "t3.micro" 29 | tags = { 30 | Name = "Node-3" 31 | Owner = "Denis Astahov" 32 | } 33 | depends_on = [aws_instance.node2] 34 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.node3 File: /Lesson-27/main.tf:26-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 26 | resource "aws_instance" "node3" { 27 | ami = "ami-05655c267c89566dd" 28 | instance_type = "t3.micro" 29 | tags = { 30 | Name = "Node-3" 31 | Owner = "Denis Astahov" 32 | } 33 | depends_on = [aws_instance.node2] 34 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.web-prod File: /Lesson-28/new-prod/web-prod.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 1 | resource "aws_instance" "web-prod" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-prod.id] 5 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "PROD WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.web-prod File: /Lesson-28/new-prod/web-prod.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 1 | resource "aws_instance" "web-prod" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-prod.id] 5 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "PROD WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.web-prod File: /Lesson-28/new-prod/web-prod.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 1 | resource "aws_instance" "web-prod" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-prod.id] 5 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "PROD WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.web-prod File: /Lesson-28/new-prod/web-prod.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 1 | resource "aws_instance" "web-prod" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-prod.id] 5 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "PROD WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-28/new-prod/web-prod.tf:21-21 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 21 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.web-prod File: /Lesson-28/new-prod/web-prod.tf:23-46 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 23 | resource "aws_security_group" "web-prod" { 24 | name = "WebServer SG Prod" 25 | description = "My First SecurityGroup" 26 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 27 | 28 | ingress { 29 | from_port = 80 30 | to_port = 80 31 | protocol = "tcp" 32 | cidr_blocks = ["0.0.0.0/0"] 33 | } 34 | 35 | egress { 36 | from_port = 0 37 | to_port = 0 38 | protocol = "-1" 39 | cidr_blocks = ["0.0.0.0/0"] 40 | } 41 | 42 | tags = { 43 | Name = "Web Server SecurityGroup" 44 | Owner = "Denis Astahov" 45 | } 46 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_security_group.web-prod File: /Lesson-28/new-prod/web-prod.tf:23-46 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html 23 | resource "aws_security_group" "web-prod" { 24 | name = "WebServer SG Prod" 25 | description = "My First SecurityGroup" 26 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 27 | 28 | ingress { 29 | from_port = 80 30 | to_port = 80 31 | protocol = "tcp" 32 | cidr_blocks = ["0.0.0.0/0"] 33 | } 34 | 35 | egress { 36 | from_port = 0 37 | to_port = 0 38 | protocol = "-1" 39 | cidr_blocks = ["0.0.0.0/0"] 40 | } 41 | 42 | tags = { 43 | Name = "Web Server SecurityGroup" 44 | Owner = "Denis Astahov" 45 | } 46 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.web-stag File: /Lesson-28/new-staging/web-stag.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 1 | resource "aws_instance" "web-stag" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-stag.id] 5 | user_data = <STAG WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "STAG WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.web-stag File: /Lesson-28/new-staging/web-stag.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 1 | resource "aws_instance" "web-stag" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-stag.id] 5 | user_data = <STAG WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "STAG WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.web-stag File: /Lesson-28/new-staging/web-stag.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 1 | resource "aws_instance" "web-stag" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-stag.id] 5 | user_data = <STAG WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "STAG WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.web-stag File: /Lesson-28/new-staging/web-stag.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 1 | resource "aws_instance" "web-stag" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-stag.id] 5 | user_data = <STAG WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "STAG WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-28/new-staging/web-stag.tf:21-21 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 21 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.web-stag File: /Lesson-28/new-staging/web-stag.tf:23-46 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 23 | resource "aws_security_group" "web-stag" { 24 | name = "WebServer SG Stag" 25 | description = "My First SecurityGroup" 26 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 27 | 28 | ingress { 29 | from_port = 80 30 | to_port = 80 31 | protocol = "tcp" 32 | cidr_blocks = ["0.0.0.0/0"] 33 | } 34 | 35 | egress { 36 | from_port = 0 37 | to_port = 0 38 | protocol = "-1" 39 | cidr_blocks = ["0.0.0.0/0"] 40 | } 41 | 42 | tags = { 43 | Name = "Web Server SecurityGroup" 44 | Owner = "Denis Astahov" 45 | } 46 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_security_group.web-stag File: /Lesson-28/new-staging/web-stag.tf:23-46 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html 23 | resource "aws_security_group" "web-stag" { 24 | name = "WebServer SG Stag" 25 | description = "My First SecurityGroup" 26 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 27 | 28 | ingress { 29 | from_port = 80 30 | to_port = 80 31 | protocol = "tcp" 32 | cidr_blocks = ["0.0.0.0/0"] 33 | } 34 | 35 | egress { 36 | from_port = 0 37 | to_port = 0 38 | protocol = "-1" 39 | cidr_blocks = ["0.0.0.0/0"] 40 | } 41 | 42 | tags = { 43 | Name = "Web Server SecurityGroup" 44 | Owner = "Denis Astahov" 45 | } 46 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-28/old-all/main.tf:13-13 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 13 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.web-prod File: /Lesson-28/old-all/web-prod.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 1 | resource "aws_instance" "web-prod" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-prod.id] 5 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "PROD WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.web-prod File: /Lesson-28/old-all/web-prod.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 1 | resource "aws_instance" "web-prod" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-prod.id] 5 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "PROD WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.web-prod File: /Lesson-28/old-all/web-prod.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 1 | resource "aws_instance" "web-prod" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-prod.id] 5 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "PROD WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.web-prod File: /Lesson-28/old-all/web-prod.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 1 | resource "aws_instance" "web-prod" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-prod.id] 5 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "PROD WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.web-prod File: /Lesson-28/old-all/web-prod.tf:21-44 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 21 | resource "aws_security_group" "web-prod" { 22 | name = "WebServer SG Prod" 23 | description = "My First SecurityGroup" 24 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 25 | 26 | ingress { 27 | from_port = 80 28 | to_port = 80 29 | protocol = "tcp" 30 | cidr_blocks = ["0.0.0.0/0"] 31 | } 32 | 33 | egress { 34 | from_port = 0 35 | to_port = 0 36 | protocol = "-1" 37 | cidr_blocks = ["0.0.0.0/0"] 38 | } 39 | 40 | tags = { 41 | Name = "Web Server SecurityGroup" 42 | Owner = "Denis Astahov" 43 | } 44 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_security_group.web-prod File: /Lesson-28/old-all/web-prod.tf:21-44 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html 21 | resource "aws_security_group" "web-prod" { 22 | name = "WebServer SG Prod" 23 | description = "My First SecurityGroup" 24 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 25 | 26 | ingress { 27 | from_port = 80 28 | to_port = 80 29 | protocol = "tcp" 30 | cidr_blocks = ["0.0.0.0/0"] 31 | } 32 | 33 | egress { 34 | from_port = 0 35 | to_port = 0 36 | protocol = "-1" 37 | cidr_blocks = ["0.0.0.0/0"] 38 | } 39 | 40 | tags = { 41 | Name = "Web Server SecurityGroup" 42 | Owner = "Denis Astahov" 43 | } 44 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.web-stag File: /Lesson-28/old-all/web-stag.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 1 | resource "aws_instance" "web-stag" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-stag.id] 5 | user_data = <STAG WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "STAG WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.web-stag File: /Lesson-28/old-all/web-stag.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 1 | resource "aws_instance" "web-stag" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-stag.id] 5 | user_data = <STAG WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "STAG WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.web-stag File: /Lesson-28/old-all/web-stag.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 1 | resource "aws_instance" "web-stag" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-stag.id] 5 | user_data = <STAG WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "STAG WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.web-stag File: /Lesson-28/old-all/web-stag.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 1 | resource "aws_instance" "web-stag" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-stag.id] 5 | user_data = <STAG WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "STAG WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.web-stag File: /Lesson-28/old-all/web-stag.tf:21-44 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 21 | resource "aws_security_group" "web-stag" { 22 | name = "WebServer SG Stag" 23 | description = "My First SecurityGroup" 24 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 25 | 26 | ingress { 27 | from_port = 80 28 | to_port = 80 29 | protocol = "tcp" 30 | cidr_blocks = ["0.0.0.0/0"] 31 | } 32 | 33 | egress { 34 | from_port = 0 35 | to_port = 0 36 | protocol = "-1" 37 | cidr_blocks = ["0.0.0.0/0"] 38 | } 39 | 40 | tags = { 41 | Name = "Web Server SecurityGroup" 42 | Owner = "Denis Astahov" 43 | } 44 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_security_group.web-stag File: /Lesson-28/old-all/web-stag.tf:21-44 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html 21 | resource "aws_security_group" "web-stag" { 22 | name = "WebServer SG Stag" 23 | description = "My First SecurityGroup" 24 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 25 | 26 | ingress { 27 | from_port = 80 28 | to_port = 80 29 | protocol = "tcp" 30 | cidr_blocks = ["0.0.0.0/0"] 31 | } 32 | 33 | egress { 34 | from_port = 0 35 | to_port = 0 36 | protocol = "-1" 37 | cidr_blocks = ["0.0.0.0/0"] 38 | } 39 | 40 | tags = { 41 | Name = "Web Server SecurityGroup" 42 | Owner = "Denis Astahov" 43 | } 44 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.web File: /Lesson-29/main.tf:10-28 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 10 | resource "aws_instance" "web" { 11 | ami = data.aws_ami.latest_amazon_linux.id 12 | instance_type = "t3.micro" 13 | vpc_security_group_ids = [aws_security_group.web.id] 14 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 20 | sudo service httpd start 21 | chkconfig httpd on 22 | EOF 23 | 24 | tags = { 25 | Name = "PROD WebServer - ${terraform.workspace}" 26 | Owner = "Denis Astahov" 27 | } 28 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.web File: /Lesson-29/main.tf:10-28 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 10 | resource "aws_instance" "web" { 11 | ami = data.aws_ami.latest_amazon_linux.id 12 | instance_type = "t3.micro" 13 | vpc_security_group_ids = [aws_security_group.web.id] 14 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 20 | sudo service httpd start 21 | chkconfig httpd on 22 | EOF 23 | 24 | tags = { 25 | Name = "PROD WebServer - ${terraform.workspace}" 26 | Owner = "Denis Astahov" 27 | } 28 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.web File: /Lesson-29/main.tf:10-28 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 10 | resource "aws_instance" "web" { 11 | ami = data.aws_ami.latest_amazon_linux.id 12 | instance_type = "t3.micro" 13 | vpc_security_group_ids = [aws_security_group.web.id] 14 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 20 | sudo service httpd start 21 | chkconfig httpd on 22 | EOF 23 | 24 | tags = { 25 | Name = "PROD WebServer - ${terraform.workspace}" 26 | Owner = "Denis Astahov" 27 | } 28 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.web File: /Lesson-29/main.tf:10-28 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 10 | resource "aws_instance" "web" { 11 | ami = data.aws_ami.latest_amazon_linux.id 12 | instance_type = "t3.micro" 13 | vpc_security_group_ids = [aws_security_group.web.id] 14 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 20 | sudo service httpd start 21 | chkconfig httpd on 22 | EOF 23 | 24 | tags = { 25 | Name = "PROD WebServer - ${terraform.workspace}" 26 | Owner = "Denis Astahov" 27 | } 28 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-29/main.tf:30-30 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 30 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.web File: /Lesson-29/main.tf:32-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 32 | resource "aws_security_group" "web" { 33 | name_prefix = "WebServer SG Prod" 34 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 35 | 36 | ingress { 37 | from_port = 80 38 | to_port = 80 39 | protocol = "tcp" 40 | cidr_blocks = ["0.0.0.0/0"] 41 | } 42 | egress { 43 | from_port = 0 44 | to_port = 0 45 | protocol = "-1" 46 | cidr_blocks = ["0.0.0.0/0"] 47 | } 48 | 49 | tags = { 50 | Name = "Web Server SecurityGroup - ${terraform.workspace}" 51 | Owner = "Denis Astahov" 52 | } 53 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_security_group.web File: /Lesson-29/main.tf:32-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html 32 | resource "aws_security_group" "web" { 33 | name_prefix = "WebServer SG Prod" 34 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 35 | 36 | ingress { 37 | from_port = 80 38 | to_port = 80 39 | protocol = "tcp" 40 | cidr_blocks = ["0.0.0.0/0"] 41 | } 42 | egress { 43 | from_port = 0 44 | to_port = 0 45 | protocol = "-1" 46 | cidr_blocks = ["0.0.0.0/0"] 47 | } 48 | 49 | tags = { 50 | Name = "Web Server SecurityGroup - ${terraform.workspace}" 51 | Owner = "Denis Astahov" 52 | } 53 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: aws_instance.web File: /Lesson-30/main.tf:10-28 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 10 | resource "aws_instance" "web" { 11 | ami = data.aws_ami.latest_amazon_linux.id 12 | instance_type = var.server_size 13 | vpc_security_group_ids = [aws_security_group.web.id] 14 | user_data = <${var.server_name}-WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 20 | sudo service httpd start 21 | chkconfig httpd on 22 | EOF 23 | 24 | tags = { 25 | Name = "${var.server_name}-WebServer" 26 | Owner = "Denis Astahov" 27 | } 28 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: aws_instance.web File: /Lesson-30/main.tf:10-28 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 10 | resource "aws_instance" "web" { 11 | ami = data.aws_ami.latest_amazon_linux.id 12 | instance_type = var.server_size 13 | vpc_security_group_ids = [aws_security_group.web.id] 14 | user_data = <${var.server_name}-WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 20 | sudo service httpd start 21 | chkconfig httpd on 22 | EOF 23 | 24 | tags = { 25 | Name = "${var.server_name}-WebServer" 26 | Owner = "Denis Astahov" 27 | } 28 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.web File: /Lesson-30/main.tf:10-28 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 10 | resource "aws_instance" "web" { 11 | ami = data.aws_ami.latest_amazon_linux.id 12 | instance_type = var.server_size 13 | vpc_security_group_ids = [aws_security_group.web.id] 14 | user_data = <${var.server_name}-WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 20 | sudo service httpd start 21 | chkconfig httpd on 22 | EOF 23 | 24 | tags = { 25 | Name = "${var.server_name}-WebServer" 26 | Owner = "Denis Astahov" 27 | } 28 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: aws_instance.web File: /Lesson-30/main.tf:10-28 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 10 | resource "aws_instance" "web" { 11 | ami = data.aws_ami.latest_amazon_linux.id 12 | instance_type = var.server_size 13 | vpc_security_group_ids = [aws_security_group.web.id] 14 | user_data = <${var.server_name}-WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 20 | sudo service httpd start 21 | chkconfig httpd on 22 | EOF 23 | 24 | tags = { 25 | Name = "${var.server_name}-WebServer" 26 | Owner = "Denis Astahov" 27 | } 28 | } Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned" FAILED for resource: aws_default_vpc.default File: /Lesson-30/main.tf:30-30 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html 30 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id Check: CKV_AWS_23: "Ensure every security groups rule has a description" FAILED for resource: aws_security_group.web File: /Lesson-30/main.tf:32-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html 32 | resource "aws_security_group" "web" { 33 | name_prefix = "${var.server_name}-WebServer-SG" 34 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 35 | 36 | ingress { 37 | from_port = 80 38 | to_port = 80 39 | protocol = "tcp" 40 | cidr_blocks = ["0.0.0.0/0"] 41 | } 42 | egress { 43 | from_port = 0 44 | to_port = 0 45 | protocol = "-1" 46 | cidr_blocks = ["0.0.0.0/0"] 47 | } 48 | 49 | tags = { 50 | Name = "${var.server_name}-WebServer SecurityGroup" 51 | Owner = "Denis Astahov" 52 | } 53 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_security_group.web File: /Lesson-30/main.tf:32-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html 32 | resource "aws_security_group" "web" { 33 | name_prefix = "${var.server_name}-WebServer-SG" 34 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 35 | 36 | ingress { 37 | from_port = 80 38 | to_port = 80 39 | protocol = "tcp" 40 | cidr_blocks = ["0.0.0.0/0"] 41 | } 42 | egress { 43 | from_port = 0 44 | to_port = 0 45 | protocol = "-1" 46 | cidr_blocks = ["0.0.0.0/0"] 47 | } 48 | 49 | tags = { 50 | Name = "${var.server_name}-WebServer SecurityGroup" 51 | Owner = "Denis Astahov" 52 | } 53 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: module.servers.aws_instance.server_root File: /Lesson-32/module_servers/main.tf:46-51 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 46 | resource "aws_instance" "server_root" { 47 | provider = aws.root 48 | ami = data.aws_ami.latest_ubuntu20_root.id 49 | instance_type = var.instance_type 50 | tags = { Name = "Server-ROOT" } 51 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: module.servers.aws_instance.server_root File: /Lesson-32/module_servers/main.tf:46-51 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 46 | resource "aws_instance" "server_root" { 47 | provider = aws.root 48 | ami = data.aws_ami.latest_ubuntu20_root.id 49 | instance_type = var.instance_type 50 | tags = { Name = "Server-ROOT" } 51 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: module.servers.aws_instance.server_root File: /Lesson-32/module_servers/main.tf:46-51 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 46 | resource "aws_instance" "server_root" { 47 | provider = aws.root 48 | ami = data.aws_ami.latest_ubuntu20_root.id 49 | instance_type = var.instance_type 50 | tags = { Name = "Server-ROOT" } 51 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: module.servers.aws_instance.server_root File: /Lesson-32/module_servers/main.tf:46-51 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 46 | resource "aws_instance" "server_root" { 47 | provider = aws.root 48 | ami = data.aws_ami.latest_ubuntu20_root.id 49 | instance_type = var.instance_type 50 | tags = { Name = "Server-ROOT" } 51 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: module.servers.aws_instance.server_prod File: /Lesson-32/module_servers/main.tf:53-58 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 53 | resource "aws_instance" "server_prod" { 54 | provider = aws.prod 55 | ami = data.aws_ami.latest_ubuntu20_prod.id 56 | instance_type = var.instance_type 57 | tags = { Name = "Server-PROD" } 58 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: module.servers.aws_instance.server_prod File: /Lesson-32/module_servers/main.tf:53-58 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 53 | resource "aws_instance" "server_prod" { 54 | provider = aws.prod 55 | ami = data.aws_ami.latest_ubuntu20_prod.id 56 | instance_type = var.instance_type 57 | tags = { Name = "Server-PROD" } 58 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: module.servers.aws_instance.server_prod File: /Lesson-32/module_servers/main.tf:53-58 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 53 | resource "aws_instance" "server_prod" { 54 | provider = aws.prod 55 | ami = data.aws_ami.latest_ubuntu20_prod.id 56 | instance_type = var.instance_type 57 | tags = { Name = "Server-PROD" } 58 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: module.servers.aws_instance.server_prod File: /Lesson-32/module_servers/main.tf:53-58 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 53 | resource "aws_instance" "server_prod" { 54 | provider = aws.prod 55 | ami = data.aws_ami.latest_ubuntu20_prod.id 56 | instance_type = var.instance_type 57 | tags = { Name = "Server-PROD" } 58 | } Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances" FAILED for resource: module.servers.aws_instance.server_dev File: /Lesson-32/module_servers/main.tf:60-65 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html 60 | resource "aws_instance" "server_dev" { 61 | provider = aws.dev 62 | ami = data.aws_ami.latest_ubuntu20_dev.id 63 | instance_type = var.instance_type 64 | tags = { Name = "Server-DEV" } 65 | } Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted" FAILED for resource: module.servers.aws_instance.server_dev File: /Lesson-32/module_servers/main.tf:60-65 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html 60 | resource "aws_instance" "server_dev" { 61 | provider = aws.dev 62 | ami = data.aws_ami.latest_ubuntu20_dev.id 63 | instance_type = var.instance_type 64 | tags = { Name = "Server-DEV" } 65 | } Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: module.servers.aws_instance.server_dev File: /Lesson-32/module_servers/main.tf:60-65 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html 60 | resource "aws_instance" "server_dev" { 61 | provider = aws.dev 62 | ami = data.aws_ami.latest_ubuntu20_dev.id 63 | instance_type = var.instance_type 64 | tags = { Name = "Server-DEV" } 65 | } Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized" FAILED for resource: module.servers.aws_instance.server_dev File: /Lesson-32/module_servers/main.tf:60-65 Calling File: /Lesson-32/main.tf:24-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html 60 | resource "aws_instance" "server_dev" { 61 | provider = aws.dev 62 | ami = data.aws_ami.latest_ubuntu20_dev.id 63 | instance_type = var.instance_type 64 | tags = { Name = "Server-DEV" } 65 | } Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled" FAILED for resource: aws_db_instance.default File: /Lesson-16/main.tf:43-56 43 | resource "aws_db_instance" "default" { 44 | identifier = "prod-rds" 45 | allocated_storage = 20 46 | storage_type = "gp2" 47 | engine = "mysql" 48 | engine_version = "5.7" 49 | instance_class = "db.t2.micro" 50 | name = "prod" 51 | username = "administrator" 52 | password = data.aws_ssm_parameter.my_rds_password.value 53 | parameter_group_name = "default.mysql5.7" 54 | skip_final_snapshot = true 55 | apply_immediately = true 56 | } Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: aws_eip.myip-prod File: /Lesson-28/old-all/main.tf:12-12 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 12 | resource "aws_eip" "myip-prod" {} Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: aws_eip.my_static_ip File: /Lesson-14/main.tf:31-42 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 31 | resource "aws_eip" "my_static_ip" { 32 | vpc = true # Need to add in new AWS Provider version 33 | tags = { 34 | Name = "Static IP" 35 | Owner = var.owner 36 | Project = local.full_project_name 37 | proj_owner = local.project_owner 38 | city = local.city 39 | region_azs = local.az_list 40 | location = local.location 41 | } 42 | } Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: module.vpc-default.aws_eip.nat[0] File: /Lesson-21/modules/aws_network/main.tf:65-71 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 65 | resource "aws_eip" "nat" { 66 | count = length(var.private_subnet_cidrs) 67 | domain = "vpc" 68 | tags = { 69 | Name = "${var.env}-nat-gw-${count.index + 1}" 70 | } 71 | } Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: module.vpc-prod.aws_eip.nat[0] File: /Lesson-21/modules/aws_network/main.tf:65-71 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 65 | resource "aws_eip" "nat" { 66 | count = length(var.private_subnet_cidrs) 67 | domain = "vpc" 68 | tags = { 69 | Name = "${var.env}-nat-gw-${count.index + 1}" 70 | } 71 | } Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: module.vpc-test.aws_eip.nat[0] File: /Lesson-21/modules/aws_network/main.tf:65-71 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 65 | resource "aws_eip" "nat" { 66 | count = length(var.private_subnet_cidrs) 67 | domain = "vpc" 68 | tags = { 69 | Name = "${var.env}-nat-gw-${count.index + 1}" 70 | } 71 | } Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: aws_eip.prod-ip1 File: /Lesson-28/new-prod/ip-prod.tf:1-1 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 1 | resource "aws_eip" "prod-ip1" { domain = "vpc" } # Need to add in new AWS Provider version Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: aws_eip.prod-ip2 File: /Lesson-28/new-prod/ip-prod.tf:2-2 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 2 | resource "aws_eip" "prod-ip2" { domain = "vpc" } # Need to add in new AWS Provider version Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: aws_eip.stag-ip1 File: /Lesson-28/new-staging/ip-stag.tf:1-1 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 1 | resource "aws_eip" "stag-ip1" { vpc = true } # Need to add in new AWS Provider version Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: aws_eip.stag-ip2 File: /Lesson-28/new-staging/ip-stag.tf:2-2 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 2 | resource "aws_eip" "stag-ip2" { vpc = true } # Need to add in new AWS Provider version Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: aws_eip.prod-ip1 File: /Lesson-28/old-all/ip-prod.tf:1-1 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 1 | resource "aws_eip" "prod-ip1" { domain = "vpc" } # Need to add in new AWS Provider version Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: aws_eip.prod-ip2 File: /Lesson-28/old-all/ip-prod.tf:2-2 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 2 | resource "aws_eip" "prod-ip2" { domain = "vpc" } # Need to add in new AWS Provider version Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: aws_eip.stag-ip1 File: /Lesson-28/old-all/ip-stag.tf:1-1 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 1 | resource "aws_eip" "stag-ip1" { domain = "vpc" } # Need to add in new AWS Provider version Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: aws_eip.stag-ip2 File: /Lesson-28/old-all/ip-stag.tf:2-2 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 2 | resource "aws_eip" "stag-ip2" { domain = "vpc" } # Need to add in new AWS Provider version Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: module.vpc-default.aws_eip.nat[1] File: /Lesson-21/modules/aws_network/main.tf:65-71 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 65 | resource "aws_eip" "nat" { 66 | count = length(var.private_subnet_cidrs) 67 | domain = "vpc" 68 | tags = { 69 | Name = "${var.env}-nat-gw-${count.index + 1}" 70 | } 71 | } Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: module.vpc-default.aws_eip.nat[2] File: /Lesson-21/modules/aws_network/main.tf:65-71 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 65 | resource "aws_eip" "nat" { 66 | count = length(var.private_subnet_cidrs) 67 | domain = "vpc" 68 | tags = { 69 | Name = "${var.env}-nat-gw-${count.index + 1}" 70 | } 71 | } Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: module.vpc-prod.aws_eip.nat[1] File: /Lesson-21/modules/aws_network/main.tf:65-71 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 65 | resource "aws_eip" "nat" { 66 | count = length(var.private_subnet_cidrs) 67 | domain = "vpc" 68 | tags = { 69 | Name = "${var.env}-nat-gw-${count.index + 1}" 70 | } 71 | } Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: module.vpc-prod.aws_eip.nat[2] File: /Lesson-21/modules/aws_network/main.tf:65-71 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 65 | resource "aws_eip" "nat" { 66 | count = length(var.private_subnet_cidrs) 67 | domain = "vpc" 68 | tags = { 69 | Name = "${var.env}-nat-gw-${count.index + 1}" 70 | } 71 | } Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances" FAILED for resource: module.vpc-test.aws_eip.nat[1] File: /Lesson-21/modules/aws_network/main.tf:65-71 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html 65 | resource "aws_eip" "nat" { 66 | count = length(var.private_subnet_cidrs) 67 | domain = "vpc" 68 | tags = { 69 | Name = "${var.env}-nat-gw-${count.index + 1}" 70 | } 71 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: aws_vpc.main File: /Lesson-20/Layer1-Network/main.tf:24-29 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 24 | resource "aws_vpc" "main" { 25 | cidr_block = var.vpc_cidr 26 | tags = { 27 | Name = "${var.env}-vpc" 28 | } 29 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc-default.aws_vpc.main File: /Lesson-21/modules/aws_network/main.tf:17-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 17 | resource "aws_vpc" "main" { 18 | cidr_block = var.vpc_cidr 19 | tags = { 20 | Name = "${var.env}-vpc" 21 | } 22 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc-dev.aws_vpc.main File: /Lesson-21/modules/aws_network/main.tf:17-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 17 | resource "aws_vpc" "main" { 18 | cidr_block = var.vpc_cidr 19 | tags = { 20 | Name = "${var.env}-vpc" 21 | } 22 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc-prod.aws_vpc.main File: /Lesson-21/modules/aws_network/main.tf:17-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 17 | resource "aws_vpc" "main" { 18 | cidr_block = var.vpc_cidr 19 | tags = { 20 | Name = "${var.env}-vpc" 21 | } 22 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc-test.aws_vpc.main File: /Lesson-21/modules/aws_network/main.tf:17-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 17 | resource "aws_vpc" "main" { 18 | cidr_block = var.vpc_cidr 19 | tags = { 20 | Name = "${var.env}-vpc" 21 | } 22 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: aws_vpc.vpc1 File: /Lesson-23/stack1/main.tf:29-36 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 29 | resource "aws_vpc" "vpc1" { 30 | cidr_block = "10.0.0.0/16" 31 | tags = { 32 | Name = "Stack1-VPC1" 33 | Company = local.company_name 34 | Owner = local.owner 35 | } 36 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: aws_vpc.vpc2 File: /Lesson-23/stack1/main.tf:39-42 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 39 | resource "aws_vpc" "vpc2" { 40 | cidr_block = "10.0.0.0/16" 41 | tags = merge(local.common_tags, { Name = "Stack1-VPC2" }) 42 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: aws_vpc.vpc1 File: /Lesson-23/stack2/main.tf:29-36 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 29 | resource "aws_vpc" "vpc1" { 30 | cidr_block = "10.0.0.0/16" 31 | tags = { 32 | Name = "Stack2-VPC1" 33 | Company = local.company_name 34 | Owner = local.owner 35 | } 36 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: aws_vpc.vpc2 File: /Lesson-23/stack2/main.tf:39-42 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 39 | resource "aws_vpc" "vpc2" { 40 | cidr_block = "10.0.0.0/16" 41 | tags = merge(local.common_tags, { Name = "Stack2-VPC2" }) 42 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc[0].aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc-dev.aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc-prod.aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc-staging.aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc_list["dev"].aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc[1].aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc_list["prod"].aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic" FAILED for resource: module.vpc_list["stag"].aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2" FAILED for resource: aws_lb_listener.http File: /Lesson-11-ALB-LaunchTemplate/main.tf:126-135 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html 126 | resource "aws_lb_listener" "http" { 127 | load_balancer_arn = aws_lb.web.arn 128 | port = "80" 129 | protocol = "HTTP" 130 | 131 | default_action { 132 | type = "forward" 133 | target_group_arn = aws_lb_target_group.web.arn 134 | } 135 | } Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF" FAILED for resource: aws_lb.web File: /Lesson-11-ALB-LaunchTemplate/main.tf:111-116 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html 111 | resource "aws_lb" "web" { 112 | name = "WebServer-HighlyAvailable-ALB" 113 | load_balancer_type = "application" 114 | security_groups = [aws_security_group.web.id] 115 | subnets = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id] 116 | } Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones" FAILED for resource: aws_lb.web File: /Lesson-11-ALB-LaunchTemplate/main.tf:111-116 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html 111 | resource "aws_lb" "web" { 112 | name = "WebServer-HighlyAvailable-ALB" 113 | load_balancer_type = "application" 114 | security_groups = [aws_security_group.web.id] 115 | subnets = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id] 116 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: aws_security_group.my_webserver File: /Lesson-05/DynamicSecurityGroup.tf:16-52 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html 16 | resource "aws_security_group" "my_webserver" { 17 | name = "Dynamic Security Group" 18 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 19 | 20 | 21 | dynamic "ingress" { 22 | for_each = ["80", "443", "8080", "1541", "9092", "9093"] 23 | content { 24 | from_port = ingress.value 25 | to_port = ingress.value 26 | protocol = "tcp" 27 | cidr_blocks = ["0.0.0.0/0"] 28 | } 29 | } 30 | 31 | 32 | ingress { 33 | from_port = 22 34 | to_port = 22 35 | protocol = "tcp" 36 | cidr_blocks = ["10.10.0.0/16"] 37 | } 38 | 39 | 40 | 41 | egress { 42 | from_port = 0 43 | to_port = 0 44 | protocol = "-1" 45 | cidr_blocks = ["0.0.0.0/0"] 46 | } 47 | 48 | tags = { 49 | Name = "Dynamic SecurityGroup" 50 | Owner = "Denis Astahov" 51 | } 52 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: aws_security_group.my_webserver File: /Lesson-17/main.tf:52-76 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html 52 | resource "aws_security_group" "my_webserver" { 53 | name = "Dynamic Security Group" 54 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id 55 | 56 | dynamic "ingress" { 57 | for_each = lookup(var.allow_port_list, var.env) 58 | content { 59 | from_port = ingress.value 60 | to_port = ingress.value 61 | protocol = "tcp" 62 | cidr_blocks = ["0.0.0.0/0"] 63 | } 64 | } 65 | egress { 66 | from_port = 0 67 | to_port = 0 68 | protocol = "-1" 69 | cidr_blocks = ["0.0.0.0/0"] 70 | } 71 | 72 | tags = { 73 | Name = "Dynamic SecurityGroup" 74 | Owner = "Denis Astahov" 75 | } 76 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: aws_security_group.nomad File: /Lesson-26/import-begin.tf:18-20 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html 18 | resource "aws_security_group" "nomad" { 19 | 20 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: aws_vpc.main File: /Lesson-20/Layer1-Network/main.tf:24-29 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 24 | resource "aws_vpc" "main" { 25 | cidr_block = var.vpc_cidr 26 | tags = { 27 | Name = "${var.env}-vpc" 28 | } 29 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc-default.aws_vpc.main File: /Lesson-21/modules/aws_network/main.tf:17-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 17 | resource "aws_vpc" "main" { 18 | cidr_block = var.vpc_cidr 19 | tags = { 20 | Name = "${var.env}-vpc" 21 | } 22 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc-dev.aws_vpc.main File: /Lesson-21/modules/aws_network/main.tf:17-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 17 | resource "aws_vpc" "main" { 18 | cidr_block = var.vpc_cidr 19 | tags = { 20 | Name = "${var.env}-vpc" 21 | } 22 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc-prod.aws_vpc.main File: /Lesson-21/modules/aws_network/main.tf:17-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 17 | resource "aws_vpc" "main" { 18 | cidr_block = var.vpc_cidr 19 | tags = { 20 | Name = "${var.env}-vpc" 21 | } 22 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc-test.aws_vpc.main File: /Lesson-21/modules/aws_network/main.tf:17-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 17 | resource "aws_vpc" "main" { 18 | cidr_block = var.vpc_cidr 19 | tags = { 20 | Name = "${var.env}-vpc" 21 | } 22 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: aws_vpc.vpc1 File: /Lesson-23/stack1/main.tf:29-36 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 29 | resource "aws_vpc" "vpc1" { 30 | cidr_block = "10.0.0.0/16" 31 | tags = { 32 | Name = "Stack1-VPC1" 33 | Company = local.company_name 34 | Owner = local.owner 35 | } 36 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: aws_vpc.vpc2 File: /Lesson-23/stack1/main.tf:39-42 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 39 | resource "aws_vpc" "vpc2" { 40 | cidr_block = "10.0.0.0/16" 41 | tags = merge(local.common_tags, { Name = "Stack1-VPC2" }) 42 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: aws_vpc.vpc1 File: /Lesson-23/stack2/main.tf:29-36 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 29 | resource "aws_vpc" "vpc1" { 30 | cidr_block = "10.0.0.0/16" 31 | tags = { 32 | Name = "Stack2-VPC1" 33 | Company = local.company_name 34 | Owner = local.owner 35 | } 36 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: aws_vpc.vpc2 File: /Lesson-23/stack2/main.tf:39-42 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 39 | resource "aws_vpc" "vpc2" { 40 | cidr_block = "10.0.0.0/16" 41 | tags = merge(local.common_tags, { Name = "Stack2-VPC2" }) 42 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc[0].aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc-dev.aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc-prod.aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc-staging.aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc_list["dev"].aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc[1].aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc_list["prod"].aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs" FAILED for resource: module.vpc_list["stag"].aws_vpc.main File: /Lesson-31/modules/aws_network/main.tf:14-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html 14 | resource "aws_vpc" "main" { 15 | cidr_block = var.vpc_cidr 16 | tags = { 17 | Name = "${var.env}-vpc" 18 | } 19 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_Ubuntu File: /Lesson-01/Lesson-1.tf:4-13 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 4 | resource "aws_instance" "my_Ubuntu" { 5 | ami = "ami-090f10efc254eaf55" 6 | instance_type = "t3.micro" 7 | 8 | tags = { 9 | Name = "My Ubuntu Server" 10 | Owner = "Denis Astahov" 11 | Project = "Terraform Lessons" 12 | } 13 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_Amazon File: /Lesson-01/Lesson-1.tf:15-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 15 | resource "aws_instance" "my_Amazon" { 16 | ami = "ami-03a71cec707bfc3d7" 17 | instance_type = "t3.small" 18 | 19 | tags = { 20 | Name = "My Amazon Server" 21 | Owner = "Denis Astahov" 22 | Project = "Terraform Lessons" 23 | } 24 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_webserver File: /Lesson-02/WebServer.tf:16-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = <WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 26 | sudo service httpd start 27 | chkconfig httpd on 28 | EOF 29 | 30 | tags = { 31 | Name = "Web Server Build by Terraform" 32 | Owner = "Denis Astahov" 33 | } 34 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_webserver File: /Lesson-03/WebServer.tf:16-26 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = file("user_data.sh") 21 | 22 | tags = { 23 | Name = "Web Server Build by Terraform" 24 | Owner = "Denis Astahov" 25 | } 26 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_webserver File: /Lesson-04/WebServer.tf:16-30 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 16 | resource "aws_instance" "my_webserver" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | instance_type = "t3.micro" 19 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 20 | user_data = templatefile("user_data.sh.tpl", { 21 | f_name = "Denis", 22 | l_name = "Astahov", 23 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha"] 24 | }) 25 | 26 | tags = { 27 | Name = "Web Server Build by Terraform" 28 | Owner = "Denis Astahov" 29 | } 30 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_webserver File: /Lesson-06/WebServer.tf:26-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 26 | resource "aws_instance" "my_webserver" { 27 | ami = "ami-07ab3281411d31d04" 28 | instance_type = "t3.micro" 29 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 30 | user_data = templatefile("user_data.sh.tpl", { 31 | f_name = "Denis", 32 | l_name = "Astahov", 33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"] 34 | }) 35 | user_data_replace_on_change = true # Added in the new AWS provider!!! 36 | 37 | tags = { 38 | Name = "Web Server Build by Terraform" 39 | Owner = "Denis Astahov" 40 | } 41 | 42 | lifecycle { 43 | create_before_destroy = true 44 | } 45 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_webserver File: /Lesson-07/main.tf:26-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 26 | resource "aws_instance" "my_webserver" { 27 | ami = "ami-07ab3281411d31d04" 28 | instance_type = "t3.micro" 29 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 30 | user_data = templatefile("user_data.sh.tpl", { 31 | f_name = "Denis", 32 | l_name = "Astahov", 33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"] 34 | }) 35 | 36 | tags = { 37 | Name = "Web Server Build by Terraform" 38 | Owner = "Denis Astahov" 39 | } 40 | 41 | lifecycle { 42 | create_before_destroy = true 43 | } 44 | 45 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_server_web File: /Lesson-08/main.tf:13-22 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 13 | resource "aws_instance" "my_server_web" { 14 | ami = "ami-03a71cec707bfc3d7" 15 | instance_type = "t3.micro" 16 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 17 | 18 | tags = { 19 | Name = "Server-Web" 20 | } 21 | depends_on = [aws_instance.my_server_db, aws_instance.my_server_app] 22 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_server_app File: /Lesson-08/main.tf:24-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 24 | resource "aws_instance" "my_server_app" { 25 | ami = "ami-03a71cec707bfc3d7" 26 | instance_type = "t3.micro" 27 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 28 | 29 | tags = { 30 | Name = "Server-Application" 31 | } 32 | 33 | depends_on = [aws_instance.my_server_db] 34 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_server_db File: /Lesson-08/main.tf:37-45 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 37 | resource "aws_instance" "my_server_db" { 38 | ami = "ami-03a71cec707bfc3d7" 39 | instance_type = "t3.micro" 40 | vpc_security_group_ids = [aws_security_group.my_webserver.id] 41 | 42 | tags = { 43 | Name = "Server-Database" 44 | } 45 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_server File: /Lesson-12/main.tf:45-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 45 | resource "aws_instance" "my_server" { 46 | ami = data.aws_ami.latest_amazon_linux.id 47 | instance_type = var.instance_type 48 | vpc_security_group_ids = [aws_security_group.my_server.id] 49 | monitoring = var.enable_detailed_monitoring 50 | 51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" }) 52 | 53 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_server File: /Lesson-13/main.tf:45-53 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 45 | resource "aws_instance" "my_server" { 46 | ami = data.aws_ami.latest_amazon_linux.id 47 | instance_type = var.instance_type 48 | vpc_security_group_ids = [aws_security_group.my_server.id] 49 | monitoring = var.enable_detailed_monitoring 50 | 51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" }) 52 | 53 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.myserver File: /Lesson-15/main.tf:50-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 50 | resource "aws_instance" "myserver" { 51 | ami = "ami-08a9b721ecc5b0a53" 52 | instance_type = "t3.micro" 53 | provisioner "local-exec" { 54 | command = "echo Hello from AWS Instance Creations!" 55 | } 56 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_webserver1 File: /Lesson-17/main.tf:16-25 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 16 | resource "aws_instance" "my_webserver1" { 17 | ami = "ami-03a71cec707bfc3d7" 18 | //instance_type = (var.env == "prod" ? "t2.large" : "t2.micro") 19 | instance_type = var.env == "prod" ? var.ec2_size["prod"] : var.ec2_size["dev"] 20 | 21 | tags = { 22 | Name = "${var.env}-server" 23 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner 24 | } 25 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_webserver2 File: /Lesson-17/main.tf:28-36 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 28 | resource "aws_instance" "my_webserver2" { 29 | ami = "ami-03a71cec707bfc3d7" 30 | instance_type = lookup(var.ec2_size, var.env) 31 | 32 | tags = { 33 | Name = "${var.env}-server" 34 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner 35 | } 36 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_dev_bastion File: /Lesson-17/main.tf:40-48 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 40 | resource "aws_instance" "my_dev_bastion" { 41 | count = var.env == "dev" ? 1 : 0 42 | ami = "ami-03a71cec707bfc3d7" 43 | instance_type = "t2.micro" 44 | 45 | tags = { 46 | Name = "Bastion Server for Dev-server" 47 | } 48 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.servers[0] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_default_server File: /Lesson-19/main.tf:67-73 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 67 | resource "aws_instance" "my_default_server" { 68 | instance_type = "t3.micro" 69 | ami = data.aws_ami.defaut_latest_ubuntu.id 70 | tags = { 71 | Name = "Default Server" 72 | } 73 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_usa_server File: /Lesson-19/main.tf:75-82 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 75 | resource "aws_instance" "my_usa_server" { 76 | provider = aws.USA 77 | instance_type = "t3.micro" 78 | ami = data.aws_ami.usa_latest_ubuntu.id 79 | tags = { 80 | Name = "USA Server" 81 | } 82 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.my_ger_server File: /Lesson-19/main.tf:84-91 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 84 | resource "aws_instance" "my_ger_server" { 85 | provider = aws.GER 86 | instance_type = "t3.micro" 87 | ami = data.aws_ami.ger_latest_ubuntu.id 88 | tags = { 89 | Name = "GERMANY Server" 90 | } 91 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.web_server File: /Lesson-20/Layer2-Servers/main.tf:42-59 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 42 | resource "aws_instance" "web_server" { 43 | ami = data.aws_ami.latest_amazon_linux.id 44 | instance_type = "t3.micro" 45 | vpc_security_group_ids = [aws_security_group.webserver.id] 46 | subnet_id = data.terraform_remote_state.network.outputs.public_subnet_ids[0] 47 | user_data = <WebServer with IP: $myip
    Build by Terraform with Remote State" > /var/www/html/index.html 53 | sudo service httpd start 54 | chkconfig httpd on 55 | EOF 56 | tags = { 57 | Name = "${var.env}-WebServer" 58 | } 59 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node1 File: /Lesson-26/import-begin.tf:6-8 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 6 | resource "aws_instance" "node1" { 7 | 8 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node2 File: /Lesson-26/import-begin.tf:10-12 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 10 | resource "aws_instance" "node2" { 11 | 12 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node3 File: /Lesson-26/import-begin.tf:14-16 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 14 | resource "aws_instance" "node3" { 15 | 16 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node1 File: /Lesson-26/import-finish.tf:1-10 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 1 | resource "aws_instance" "node1" { 2 | ami = "ami-0a634ae95e11c6f91" 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.nomad.id] 5 | ebs_optimized = true 6 | tags = { 7 | Name = "Nomad Ubuntu Node-1" 8 | Owner = "Denis Astahov" 9 | } 10 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node2 File: /Lesson-26/import-finish.tf:12-21 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 12 | resource "aws_instance" "node2" { 13 | ami = "ami-0a634ae95e11c6f91" 14 | instance_type = "t3.micro" 15 | vpc_security_group_ids = [aws_security_group.nomad.id] 16 | ebs_optimized = true 17 | tags = { 18 | Name = "Nomad Ubuntu Node-2" 19 | Owner = "Denis Astahov" 20 | } 21 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node3 File: /Lesson-26/import-finish.tf:23-32 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 23 | resource "aws_instance" "node3" { 24 | ami = "ami-0a634ae95e11c6f91" 25 | instance_type = "t3.micro" 26 | vpc_security_group_ids = [aws_security_group.nomad.id] 27 | ebs_optimized = true 28 | tags = { 29 | Name = "Nomad Ubuntu Node-3" 30 | Owner = "Denis Astahov" 31 | } 32 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node1 File: /Lesson-27-v0.15.2+/main.tf:8-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 8 | resource "aws_instance" "node1" { 9 | ami = "ami-05655c267c89566dd" 10 | instance_type = "t3.micro" 11 | tags = { 12 | Name = "Node-1" 13 | Owner = "Denis Astahov" 14 | } 15 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node2 File: /Lesson-27-v0.15.2+/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 17 | resource "aws_instance" "node2" { 18 | ami = "ami-05655c267c89566dd" 19 | instance_type = "t3.micro" 20 | tags = { 21 | Name = "Node-2" 22 | Owner = "Denis Astahov" 23 | } 24 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node3 File: /Lesson-27-v0.15.2+/main.tf:26-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 26 | resource "aws_instance" "node3" { 27 | ami = "ami-05655c267c89566dd" 28 | instance_type = "t3.micro" 29 | tags = { 30 | Name = "Node-3" 31 | Owner = "Denis Astahov" 32 | } 33 | depends_on = [aws_instance.node2] 34 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node1 File: /Lesson-27/main.tf:8-15 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 8 | resource "aws_instance" "node1" { 9 | ami = "ami-05655c267c89566dd" 10 | instance_type = "t3.micro" 11 | tags = { 12 | Name = "Node-1" 13 | Owner = "Denis Astahov" 14 | } 15 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node2 File: /Lesson-27/main.tf:17-24 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 17 | resource "aws_instance" "node2" { 18 | ami = "ami-05655c267c89566dd" 19 | instance_type = "t3.micro" 20 | tags = { 21 | Name = "Node-2" 22 | Owner = "Denis Astahov" 23 | } 24 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.node3 File: /Lesson-27/main.tf:26-34 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 26 | resource "aws_instance" "node3" { 27 | ami = "ami-05655c267c89566dd" 28 | instance_type = "t3.micro" 29 | tags = { 30 | Name = "Node-3" 31 | Owner = "Denis Astahov" 32 | } 33 | depends_on = [aws_instance.node2] 34 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.web-prod File: /Lesson-28/new-prod/web-prod.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 1 | resource "aws_instance" "web-prod" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-prod.id] 5 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "PROD WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.web-stag File: /Lesson-28/new-staging/web-stag.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 1 | resource "aws_instance" "web-stag" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-stag.id] 5 | user_data = <STAG WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "STAG WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.web-prod File: /Lesson-28/old-all/web-prod.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 1 | resource "aws_instance" "web-prod" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-prod.id] 5 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "PROD WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.web-stag File: /Lesson-28/old-all/web-stag.tf:1-19 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 1 | resource "aws_instance" "web-stag" { 2 | ami = data.aws_ami.latest_amazon_linux.id 3 | instance_type = "t3.micro" 4 | vpc_security_group_ids = [aws_security_group.web-stag.id] 5 | user_data = <STAG WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 11 | sudo service httpd start 12 | chkconfig httpd on 13 | EOF 14 | 15 | tags = { 16 | Name = "STAG WebServer" 17 | Owner = "Denis Astahov" 18 | } 19 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.web File: /Lesson-29/main.tf:10-28 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 10 | resource "aws_instance" "web" { 11 | ami = data.aws_ami.latest_amazon_linux.id 12 | instance_type = "t3.micro" 13 | vpc_security_group_ids = [aws_security_group.web.id] 14 | user_data = <PROD WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 20 | sudo service httpd start 21 | chkconfig httpd on 22 | EOF 23 | 24 | tags = { 25 | Name = "PROD WebServer - ${terraform.workspace}" 26 | Owner = "Denis Astahov" 27 | } 28 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.web File: /Lesson-30/main.tf:10-28 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 10 | resource "aws_instance" "web" { 11 | ami = data.aws_ami.latest_amazon_linux.id 12 | instance_type = var.server_size 13 | vpc_security_group_ids = [aws_security_group.web.id] 14 | user_data = <${var.server_name}-WebServer with IP: $myip
    Build by Terraform!" > /var/www/html/index.html 20 | sudo service httpd start 21 | chkconfig httpd on 22 | EOF 23 | 24 | tags = { 25 | Name = "${var.server_name}-WebServer" 26 | Owner = "Denis Astahov" 27 | } 28 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: module.servers.aws_instance.server_root File: /Lesson-32/module_servers/main.tf:46-51 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 46 | resource "aws_instance" "server_root" { 47 | provider = aws.root 48 | ami = data.aws_ami.latest_ubuntu20_root.id 49 | instance_type = var.instance_type 50 | tags = { Name = "Server-ROOT" } 51 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: module.servers.aws_instance.server_prod File: /Lesson-32/module_servers/main.tf:53-58 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 53 | resource "aws_instance" "server_prod" { 54 | provider = aws.prod 55 | ami = data.aws_ami.latest_ubuntu20_prod.id 56 | instance_type = var.instance_type 57 | tags = { Name = "Server-PROD" } 58 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: module.servers.aws_instance.server_dev File: /Lesson-32/module_servers/main.tf:60-65 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 60 | resource "aws_instance" "server_dev" { 61 | provider = aws.dev 62 | ami = data.aws_ami.latest_ubuntu20_dev.id 63 | instance_type = var.instance_type 64 | tags = { Name = "Server-DEV" } 65 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.servers[1] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance" FAILED for resource: aws_instance.servers[2] File: /Lesson-18/main.tf:24-31 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html 24 | resource "aws_instance" "servers" { 25 | count = 3 26 | ami = "ami-07ab3281411d31d04" 27 | instance_type = "t3.micro" 28 | tags = { 29 | Name = "Server Number ${count.index + 1}" 30 | } 31 | } terraform_plan scan results: Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1 secrets scan results: Passed checks: 0, Failed checks: 1, Skipped checks: 0 Check: CKV_SECRET_13: "Private Key" FAILED for resource: 845742a272b4969174897edaf861275c2bb5220d File: /Lesson-24/mygcp-creds.json:1-2 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-13.html 1 | // Fake Credentials file, but should look like this

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: