Repository | adv4000 / terraform-lessons |
Description | Source Code for Course "Terraform From Beginner to Professional" |
Stars | 195 |
---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkov
output found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:51:46,583 [MainThread ] [WARNI] Failed to download module [email protected]:adv4000/terraform-modules.git//aws_network:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 295, Failed checks: 374, Skipped checks: 0, Parsing errors: 34
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_Ubuntu
File: /Lesson-01/Lesson-1.tf:4-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
4 | resource "aws_instance" "my_Ubuntu" {
5 | ami = "ami-090f10efc254eaf55"
6 | instance_type = "t3.micro"
7 |
8 | tags = {
9 | Name = "My Ubuntu Server"
10 | Owner = "Denis Astahov"
11 | Project = "Terraform Lessons"
12 | }
13 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_Ubuntu
File: /Lesson-01/Lesson-1.tf:4-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
4 | resource "aws_instance" "my_Ubuntu" {
5 | ami = "ami-090f10efc254eaf55"
6 | instance_type = "t3.micro"
7 |
8 | tags = {
9 | Name = "My Ubuntu Server"
10 | Owner = "Denis Astahov"
11 | Project = "Terraform Lessons"
12 | }
13 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_Ubuntu
File: /Lesson-01/Lesson-1.tf:4-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
4 | resource "aws_instance" "my_Ubuntu" {
5 | ami = "ami-090f10efc254eaf55"
6 | instance_type = "t3.micro"
7 |
8 | tags = {
9 | Name = "My Ubuntu Server"
10 | Owner = "Denis Astahov"
11 | Project = "Terraform Lessons"
12 | }
13 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_Ubuntu
File: /Lesson-01/Lesson-1.tf:4-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
4 | resource "aws_instance" "my_Ubuntu" {
5 | ami = "ami-090f10efc254eaf55"
6 | instance_type = "t3.micro"
7 |
8 | tags = {
9 | Name = "My Ubuntu Server"
10 | Owner = "Denis Astahov"
11 | Project = "Terraform Lessons"
12 | }
13 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_Amazon
File: /Lesson-01/Lesson-1.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
15 | resource "aws_instance" "my_Amazon" {
16 | ami = "ami-03a71cec707bfc3d7"
17 | instance_type = "t3.small"
18 |
19 | tags = {
20 | Name = "My Amazon Server"
21 | Owner = "Denis Astahov"
22 | Project = "Terraform Lessons"
23 | }
24 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_Amazon
File: /Lesson-01/Lesson-1.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
15 | resource "aws_instance" "my_Amazon" {
16 | ami = "ami-03a71cec707bfc3d7"
17 | instance_type = "t3.small"
18 |
19 | tags = {
20 | Name = "My Amazon Server"
21 | Owner = "Denis Astahov"
22 | Project = "Terraform Lessons"
23 | }
24 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_Amazon
File: /Lesson-01/Lesson-1.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
15 | resource "aws_instance" "my_Amazon" {
16 | ami = "ami-03a71cec707bfc3d7"
17 | instance_type = "t3.small"
18 |
19 | tags = {
20 | Name = "My Amazon Server"
21 | Owner = "Denis Astahov"
22 | Project = "Terraform Lessons"
23 | }
24 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_Amazon
File: /Lesson-01/Lesson-1.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
15 | resource "aws_instance" "my_Amazon" {
16 | ami = "ami-03a71cec707bfc3d7"
17 | instance_type = "t3.small"
18 |
19 | tags = {
20 | Name = "My Amazon Server"
21 | Owner = "Denis Astahov"
22 | Project = "Terraform Lessons"
23 | }
24 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-02/WebServer.tf:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-02/WebServer.tf:16-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = <WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
26 | sudo service httpd start
27 | chkconfig httpd on
28 | EOF
29 |
30 | tags = {
31 | Name = "Web Server Build by Terraform"
32 | Owner = "Denis Astahov"
33 | }
34 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-02/WebServer.tf:16-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = <WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
26 | sudo service httpd start
27 | chkconfig httpd on
28 | EOF
29 |
30 | tags = {
31 | Name = "Web Server Build by Terraform"
32 | Owner = "Denis Astahov"
33 | }
34 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-02/WebServer.tf:16-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = <WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
26 | sudo service httpd start
27 | chkconfig httpd on
28 | EOF
29 |
30 | tags = {
31 | Name = "Web Server Build by Terraform"
32 | Owner = "Denis Astahov"
33 | }
34 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-02/WebServer.tf:16-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = <WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
26 | sudo service httpd start
27 | chkconfig httpd on
28 | EOF
29 |
30 | tags = {
31 | Name = "Web Server Build by Terraform"
32 | Owner = "Denis Astahov"
33 | }
34 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-02/WebServer.tf:37-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
37 | resource "aws_security_group" "my_webserver" {
38 | name = "WebServer Security Group"
39 | description = "My First SecurityGroup"
40 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
41 |
42 | ingress {
43 | from_port = 80
44 | to_port = 80
45 | protocol = "tcp"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | ingress {
50 | from_port = 443
51 | to_port = 443
52 | protocol = "tcp"
53 | cidr_blocks = ["0.0.0.0/0"]
54 | }
55 |
56 | egress {
57 | from_port = 0
58 | to_port = 0
59 | protocol = "-1"
60 | cidr_blocks = ["0.0.0.0/0"]
61 | }
62 |
63 | tags = {
64 | Name = "Web Server SecurityGroup"
65 | Owner = "Denis Astahov"
66 | }
67 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-02/WebServer.tf:37-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
37 | resource "aws_security_group" "my_webserver" {
38 | name = "WebServer Security Group"
39 | description = "My First SecurityGroup"
40 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
41 |
42 | ingress {
43 | from_port = 80
44 | to_port = 80
45 | protocol = "tcp"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | ingress {
50 | from_port = 443
51 | to_port = 443
52 | protocol = "tcp"
53 | cidr_blocks = ["0.0.0.0/0"]
54 | }
55 |
56 | egress {
57 | from_port = 0
58 | to_port = 0
59 | protocol = "-1"
60 | cidr_blocks = ["0.0.0.0/0"]
61 | }
62 |
63 | tags = {
64 | Name = "Web Server SecurityGroup"
65 | Owner = "Denis Astahov"
66 | }
67 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-03/WebServer.tf:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-03/WebServer.tf:16-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = file("user_data.sh")
21 |
22 | tags = {
23 | Name = "Web Server Build by Terraform"
24 | Owner = "Denis Astahov"
25 | }
26 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-03/WebServer.tf:16-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = file("user_data.sh")
21 |
22 | tags = {
23 | Name = "Web Server Build by Terraform"
24 | Owner = "Denis Astahov"
25 | }
26 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-03/WebServer.tf:16-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = file("user_data.sh")
21 |
22 | tags = {
23 | Name = "Web Server Build by Terraform"
24 | Owner = "Denis Astahov"
25 | }
26 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-03/WebServer.tf:16-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = file("user_data.sh")
21 |
22 | tags = {
23 | Name = "Web Server Build by Terraform"
24 | Owner = "Denis Astahov"
25 | }
26 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-03/WebServer.tf:29-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
29 | resource "aws_security_group" "my_webserver" {
30 | name = "WebServer Security Group"
31 | description = "My First SecurityGroup"
32 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
33 |
34 | ingress {
35 | from_port = 80
36 | to_port = 80
37 | protocol = "tcp"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | ingress {
42 | from_port = 443
43 | to_port = 443
44 | protocol = "tcp"
45 | cidr_blocks = ["0.0.0.0/0"]
46 | }
47 |
48 | egress {
49 | from_port = 0
50 | to_port = 0
51 | protocol = "-1"
52 | cidr_blocks = ["0.0.0.0/0"]
53 | }
54 |
55 | tags = {
56 | Name = "Web Server SecurityGroup"
57 | Owner = "Denis Astahov"
58 | }
59 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-03/WebServer.tf:29-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
29 | resource "aws_security_group" "my_webserver" {
30 | name = "WebServer Security Group"
31 | description = "My First SecurityGroup"
32 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
33 |
34 | ingress {
35 | from_port = 80
36 | to_port = 80
37 | protocol = "tcp"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | }
40 |
41 | ingress {
42 | from_port = 443
43 | to_port = 443
44 | protocol = "tcp"
45 | cidr_blocks = ["0.0.0.0/0"]
46 | }
47 |
48 | egress {
49 | from_port = 0
50 | to_port = 0
51 | protocol = "-1"
52 | cidr_blocks = ["0.0.0.0/0"]
53 | }
54 |
55 | tags = {
56 | Name = "Web Server SecurityGroup"
57 | Owner = "Denis Astahov"
58 | }
59 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-04/WebServer.tf:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-04/WebServer.tf:16-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = templatefile("user_data.sh.tpl", {
21 | f_name = "Denis",
22 | l_name = "Astahov",
23 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha"]
24 | })
25 |
26 | tags = {
27 | Name = "Web Server Build by Terraform"
28 | Owner = "Denis Astahov"
29 | }
30 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-04/WebServer.tf:16-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = templatefile("user_data.sh.tpl", {
21 | f_name = "Denis",
22 | l_name = "Astahov",
23 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha"]
24 | })
25 |
26 | tags = {
27 | Name = "Web Server Build by Terraform"
28 | Owner = "Denis Astahov"
29 | }
30 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-04/WebServer.tf:16-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = templatefile("user_data.sh.tpl", {
21 | f_name = "Denis",
22 | l_name = "Astahov",
23 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha"]
24 | })
25 |
26 | tags = {
27 | Name = "Web Server Build by Terraform"
28 | Owner = "Denis Astahov"
29 | }
30 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-04/WebServer.tf:16-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = templatefile("user_data.sh.tpl", {
21 | f_name = "Denis",
22 | l_name = "Astahov",
23 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha"]
24 | })
25 |
26 | tags = {
27 | Name = "Web Server Build by Terraform"
28 | Owner = "Denis Astahov"
29 | }
30 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-04/WebServer.tf:33-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
33 | resource "aws_security_group" "my_webserver" {
34 | name = "WebServer Security Group"
35 | description = "My First SecurityGroup"
36 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
37 |
38 | ingress {
39 | from_port = 80
40 | to_port = 80
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 |
45 | ingress {
46 | from_port = 443
47 | to_port = 443
48 | protocol = "tcp"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | egress {
53 | from_port = 0
54 | to_port = 0
55 | protocol = "-1"
56 | cidr_blocks = ["0.0.0.0/0"]
57 | }
58 |
59 | tags = {
60 | Name = "Web Server SecurityGroup"
61 | Owner = "Denis Astahov"
62 | }
63 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-04/WebServer.tf:33-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
33 | resource "aws_security_group" "my_webserver" {
34 | name = "WebServer Security Group"
35 | description = "My First SecurityGroup"
36 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
37 |
38 | ingress {
39 | from_port = 80
40 | to_port = 80
41 | protocol = "tcp"
42 | cidr_blocks = ["0.0.0.0/0"]
43 | }
44 |
45 | ingress {
46 | from_port = 443
47 | to_port = 443
48 | protocol = "tcp"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | egress {
53 | from_port = 0
54 | to_port = 0
55 | protocol = "-1"
56 | cidr_blocks = ["0.0.0.0/0"]
57 | }
58 |
59 | tags = {
60 | Name = "Web Server SecurityGroup"
61 | Owner = "Denis Astahov"
62 | }
63 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-05/DynamicSecurityGroup.tf:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-05/DynamicSecurityGroup.tf:16-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
16 | resource "aws_security_group" "my_webserver" {
17 | name = "Dynamic Security Group"
18 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
19 |
20 |
21 | dynamic "ingress" {
22 | for_each = ["80", "443", "8080", "1541", "9092", "9093"]
23 | content {
24 | from_port = ingress.value
25 | to_port = ingress.value
26 | protocol = "tcp"
27 | cidr_blocks = ["0.0.0.0/0"]
28 | }
29 | }
30 |
31 |
32 | ingress {
33 | from_port = 22
34 | to_port = 22
35 | protocol = "tcp"
36 | cidr_blocks = ["10.10.0.0/16"]
37 | }
38 |
39 |
40 |
41 | egress {
42 | from_port = 0
43 | to_port = 0
44 | protocol = "-1"
45 | cidr_blocks = ["0.0.0.0/0"]
46 | }
47 |
48 | tags = {
49 | Name = "Dynamic SecurityGroup"
50 | Owner = "Denis Astahov"
51 | }
52 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-06/WebServer.tf:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-06/WebServer.tf:26-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
26 | resource "aws_instance" "my_webserver" {
27 | ami = "ami-07ab3281411d31d04"
28 | instance_type = "t3.micro"
29 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
30 | user_data = templatefile("user_data.sh.tpl", {
31 | f_name = "Denis",
32 | l_name = "Astahov",
33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"]
34 | })
35 | user_data_replace_on_change = true # Added in the new AWS provider!!!
36 |
37 | tags = {
38 | Name = "Web Server Build by Terraform"
39 | Owner = "Denis Astahov"
40 | }
41 |
42 | lifecycle {
43 | create_before_destroy = true
44 | }
45 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-06/WebServer.tf:26-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
26 | resource "aws_instance" "my_webserver" {
27 | ami = "ami-07ab3281411d31d04"
28 | instance_type = "t3.micro"
29 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
30 | user_data = templatefile("user_data.sh.tpl", {
31 | f_name = "Denis",
32 | l_name = "Astahov",
33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"]
34 | })
35 | user_data_replace_on_change = true # Added in the new AWS provider!!!
36 |
37 | tags = {
38 | Name = "Web Server Build by Terraform"
39 | Owner = "Denis Astahov"
40 | }
41 |
42 | lifecycle {
43 | create_before_destroy = true
44 | }
45 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-06/WebServer.tf:26-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
26 | resource "aws_instance" "my_webserver" {
27 | ami = "ami-07ab3281411d31d04"
28 | instance_type = "t3.micro"
29 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
30 | user_data = templatefile("user_data.sh.tpl", {
31 | f_name = "Denis",
32 | l_name = "Astahov",
33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"]
34 | })
35 | user_data_replace_on_change = true # Added in the new AWS provider!!!
36 |
37 | tags = {
38 | Name = "Web Server Build by Terraform"
39 | Owner = "Denis Astahov"
40 | }
41 |
42 | lifecycle {
43 | create_before_destroy = true
44 | }
45 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-06/WebServer.tf:26-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
26 | resource "aws_instance" "my_webserver" {
27 | ami = "ami-07ab3281411d31d04"
28 | instance_type = "t3.micro"
29 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
30 | user_data = templatefile("user_data.sh.tpl", {
31 | f_name = "Denis",
32 | l_name = "Astahov",
33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"]
34 | })
35 | user_data_replace_on_change = true # Added in the new AWS provider!!!
36 |
37 | tags = {
38 | Name = "Web Server Build by Terraform"
39 | Owner = "Denis Astahov"
40 | }
41 |
42 | lifecycle {
43 | create_before_destroy = true
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-06/WebServer.tf:48-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
48 | resource "aws_security_group" "my_webserver" {
49 | name = "WebServer Security Group"
50 | description = "My First SecurityGroup"
51 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
52 |
53 | dynamic "ingress" {
54 | for_each = ["80", "443"]
55 | content {
56 | from_port = ingress.value
57 | to_port = ingress.value
58 | protocol = "tcp"
59 | cidr_blocks = ["0.0.0.0/0"]
60 | }
61 | }
62 |
63 |
64 | egress {
65 | from_port = 0
66 | to_port = 0
67 | protocol = "-1"
68 | cidr_blocks = ["0.0.0.0/0"]
69 | }
70 |
71 | tags = {
72 | Name = "Web Server SecurityGroup"
73 | Owner = "Denis Astahov"
74 | }
75 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-07/main.tf:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
14 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-07/main.tf:26-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
26 | resource "aws_instance" "my_webserver" {
27 | ami = "ami-07ab3281411d31d04"
28 | instance_type = "t3.micro"
29 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
30 | user_data = templatefile("user_data.sh.tpl", {
31 | f_name = "Denis",
32 | l_name = "Astahov",
33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"]
34 | })
35 |
36 | tags = {
37 | Name = "Web Server Build by Terraform"
38 | Owner = "Denis Astahov"
39 | }
40 |
41 | lifecycle {
42 | create_before_destroy = true
43 | }
44 |
45 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-07/main.tf:26-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
26 | resource "aws_instance" "my_webserver" {
27 | ami = "ami-07ab3281411d31d04"
28 | instance_type = "t3.micro"
29 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
30 | user_data = templatefile("user_data.sh.tpl", {
31 | f_name = "Denis",
32 | l_name = "Astahov",
33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"]
34 | })
35 |
36 | tags = {
37 | Name = "Web Server Build by Terraform"
38 | Owner = "Denis Astahov"
39 | }
40 |
41 | lifecycle {
42 | create_before_destroy = true
43 | }
44 |
45 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-07/main.tf:26-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
26 | resource "aws_instance" "my_webserver" {
27 | ami = "ami-07ab3281411d31d04"
28 | instance_type = "t3.micro"
29 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
30 | user_data = templatefile("user_data.sh.tpl", {
31 | f_name = "Denis",
32 | l_name = "Astahov",
33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"]
34 | })
35 |
36 | tags = {
37 | Name = "Web Server Build by Terraform"
38 | Owner = "Denis Astahov"
39 | }
40 |
41 | lifecycle {
42 | create_before_destroy = true
43 | }
44 |
45 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-07/main.tf:26-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
26 | resource "aws_instance" "my_webserver" {
27 | ami = "ami-07ab3281411d31d04"
28 | instance_type = "t3.micro"
29 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
30 | user_data = templatefile("user_data.sh.tpl", {
31 | f_name = "Denis",
32 | l_name = "Astahov",
33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"]
34 | })
35 |
36 | tags = {
37 | Name = "Web Server Build by Terraform"
38 | Owner = "Denis Astahov"
39 | }
40 |
41 | lifecycle {
42 | create_before_destroy = true
43 | }
44 |
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-07/main.tf:48-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
48 | resource "aws_security_group" "my_webserver" {
49 | name = "WebServer Security Group"
50 | description = "My First SecurityGroup"
51 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
52 |
53 |
54 | dynamic "ingress" {
55 | for_each = ["80", "443"]
56 | content {
57 | from_port = ingress.value
58 | to_port = ingress.value
59 | protocol = "tcp"
60 | cidr_blocks = ["0.0.0.0/0"]
61 | }
62 | }
63 |
64 |
65 | egress {
66 | from_port = 0
67 | to_port = 0
68 | protocol = "-1"
69 | cidr_blocks = ["0.0.0.0/0"]
70 | }
71 |
72 | tags = {
73 | Name = "Web Server SecurityGroup"
74 | Owner = "Denis Astahov"
75 | }
76 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-08/main.tf:11-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
11 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_server_web
File: /Lesson-08/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
13 | resource "aws_instance" "my_server_web" {
14 | ami = "ami-03a71cec707bfc3d7"
15 | instance_type = "t3.micro"
16 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
17 |
18 | tags = {
19 | Name = "Server-Web"
20 | }
21 | depends_on = [aws_instance.my_server_db, aws_instance.my_server_app]
22 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_server_web
File: /Lesson-08/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
13 | resource "aws_instance" "my_server_web" {
14 | ami = "ami-03a71cec707bfc3d7"
15 | instance_type = "t3.micro"
16 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
17 |
18 | tags = {
19 | Name = "Server-Web"
20 | }
21 | depends_on = [aws_instance.my_server_db, aws_instance.my_server_app]
22 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_server_web
File: /Lesson-08/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
13 | resource "aws_instance" "my_server_web" {
14 | ami = "ami-03a71cec707bfc3d7"
15 | instance_type = "t3.micro"
16 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
17 |
18 | tags = {
19 | Name = "Server-Web"
20 | }
21 | depends_on = [aws_instance.my_server_db, aws_instance.my_server_app]
22 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_server_web
File: /Lesson-08/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
13 | resource "aws_instance" "my_server_web" {
14 | ami = "ami-03a71cec707bfc3d7"
15 | instance_type = "t3.micro"
16 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
17 |
18 | tags = {
19 | Name = "Server-Web"
20 | }
21 | depends_on = [aws_instance.my_server_db, aws_instance.my_server_app]
22 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_server_app
File: /Lesson-08/main.tf:24-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
24 | resource "aws_instance" "my_server_app" {
25 | ami = "ami-03a71cec707bfc3d7"
26 | instance_type = "t3.micro"
27 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
28 |
29 | tags = {
30 | Name = "Server-Application"
31 | }
32 |
33 | depends_on = [aws_instance.my_server_db]
34 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_server_app
File: /Lesson-08/main.tf:24-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
24 | resource "aws_instance" "my_server_app" {
25 | ami = "ami-03a71cec707bfc3d7"
26 | instance_type = "t3.micro"
27 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
28 |
29 | tags = {
30 | Name = "Server-Application"
31 | }
32 |
33 | depends_on = [aws_instance.my_server_db]
34 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_server_app
File: /Lesson-08/main.tf:24-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
24 | resource "aws_instance" "my_server_app" {
25 | ami = "ami-03a71cec707bfc3d7"
26 | instance_type = "t3.micro"
27 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
28 |
29 | tags = {
30 | Name = "Server-Application"
31 | }
32 |
33 | depends_on = [aws_instance.my_server_db]
34 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_server_app
File: /Lesson-08/main.tf:24-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
24 | resource "aws_instance" "my_server_app" {
25 | ami = "ami-03a71cec707bfc3d7"
26 | instance_type = "t3.micro"
27 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
28 |
29 | tags = {
30 | Name = "Server-Application"
31 | }
32 |
33 | depends_on = [aws_instance.my_server_db]
34 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_server_db
File: /Lesson-08/main.tf:37-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
37 | resource "aws_instance" "my_server_db" {
38 | ami = "ami-03a71cec707bfc3d7"
39 | instance_type = "t3.micro"
40 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
41 |
42 | tags = {
43 | Name = "Server-Database"
44 | }
45 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_server_db
File: /Lesson-08/main.tf:37-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
37 | resource "aws_instance" "my_server_db" {
38 | ami = "ami-03a71cec707bfc3d7"
39 | instance_type = "t3.micro"
40 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
41 |
42 | tags = {
43 | Name = "Server-Database"
44 | }
45 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_server_db
File: /Lesson-08/main.tf:37-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
37 | resource "aws_instance" "my_server_db" {
38 | ami = "ami-03a71cec707bfc3d7"
39 | instance_type = "t3.micro"
40 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
41 |
42 | tags = {
43 | Name = "Server-Database"
44 | }
45 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_server_db
File: /Lesson-08/main.tf:37-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
37 | resource "aws_instance" "my_server_db" {
38 | ami = "ami-03a71cec707bfc3d7"
39 | instance_type = "t3.micro"
40 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
41 |
42 | tags = {
43 | Name = "Server-Database"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-08/main.tf:49-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
49 | resource "aws_security_group" "my_webserver" {
50 | name = "My Security Group"
51 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
52 |
53 |
54 | dynamic "ingress" {
55 | for_each = ["80", "443", "22"]
56 | content {
57 | from_port = ingress.value
58 | to_port = ingress.value
59 | protocol = "tcp"
60 | cidr_blocks = ["0.0.0.0/0"]
61 | }
62 | }
63 |
64 | egress {
65 | from_port = 0
66 | to_port = 0
67 | protocol = "-1"
68 | cidr_blocks = ["0.0.0.0/0"]
69 | }
70 |
71 | tags = {
72 | Name = "My SecurityGroup"
73 | }
74 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-11-ALB-LaunchTemplate/main.tf:37-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
37 | resource "aws_default_vpc" "default" {}
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web
File: /Lesson-11-ALB-LaunchTemplate/main.tf:48-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
48 | resource "aws_security_group" "web" {
49 | name = "Web Security Group"
50 | vpc_id = aws_default_vpc.default.id
51 | dynamic "ingress" {
52 | for_each = ["80", "443"]
53 | content {
54 | from_port = ingress.value
55 | to_port = ingress.value
56 | protocol = "tcp"
57 | cidr_blocks = ["0.0.0.0/0"]
58 | }
59 | }
60 | egress {
61 | from_port = 0
62 | to_port = 0
63 | protocol = "-1"
64 | cidr_blocks = ["0.0.0.0/0"]
65 | }
66 | tags = {
67 | Name = "Web Security Group"
68 | }
69 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.web
File: /Lesson-11-ALB-LaunchTemplate/main.tf:72-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
72 | resource "aws_launch_template" "web" {
73 | name = "WebServer-Highly-Available-LT"
74 | image_id = data.aws_ami.latest_amazon_linux.id
75 | instance_type = "t3.micro"
76 | vpc_security_group_ids = [aws_security_group.web.id]
77 | user_data = filebase64("${path.module}/user_data.sh")
78 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.web
File: /Lesson-11-ALB-LaunchTemplate/main.tf:111-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
111 | resource "aws_lb" "web" {
112 | name = "WebServer-HighlyAvailable-ALB"
113 | load_balancer_type = "application"
114 | security_groups = [aws_security_group.web.id]
115 | subnets = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id]
116 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.web
File: /Lesson-11-ALB-LaunchTemplate/main.tf:111-116
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
111 | resource "aws_lb" "web" {
112 | name = "WebServer-HighlyAvailable-ALB"
113 | load_balancer_type = "application"
114 | security_groups = [aws_security_group.web.id]
115 | subnets = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id]
116 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.web
File: /Lesson-11-ALB-LaunchTemplate/main.tf:111-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
111 | resource "aws_lb" "web" {
112 | name = "WebServer-HighlyAvailable-ALB"
113 | load_balancer_type = "application"
114 | security_groups = [aws_security_group.web.id]
115 | subnets = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id]
116 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.web
File: /Lesson-11-ALB-LaunchTemplate/main.tf:118-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
118 | resource "aws_lb_target_group" "web" {
119 | name = "WebServer-HighlyAvailable-TG"
120 | vpc_id = aws_default_vpc.default.id
121 | port = 80
122 | protocol = "HTTP"
123 | deregistration_delay = 10 # seconds
124 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.http
File: /Lesson-11-ALB-LaunchTemplate/main.tf:126-135
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
126 | resource "aws_lb_listener" "http" {
127 | load_balancer_arn = aws_lb.web.arn
128 | port = "80"
129 | protocol = "HTTP"
130 |
131 | default_action {
132 | type = "forward"
133 | target_group_arn = aws_lb_target_group.web.arn
134 | }
135 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-11-ELB-LaunchConfiguration/main.tf:16-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
16 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web
File: /Lesson-11-ELB-LaunchConfiguration/main.tf:29-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
29 | resource "aws_security_group" "web" {
30 | name = "Dynamic Security Group"
31 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
32 |
33 | dynamic "ingress" {
34 | for_each = ["80", "443"]
35 | content {
36 | from_port = ingress.value
37 | to_port = ingress.value
38 | protocol = "tcp"
39 | cidr_blocks = ["0.0.0.0/0"]
40 | }
41 | }
42 | egress {
43 | from_port = 0
44 | to_port = 0
45 | protocol = "-1"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | tags = {
50 | Name = "Dynamic SecurityGroup"
51 | Owner = "Denis Astahov"
52 | }
53 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.web
File: /Lesson-11-ELB-LaunchConfiguration/main.tf:56-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
56 | resource "aws_launch_configuration" "web" {
57 | // name = "WebServer-Highly-Available-LC"
58 | name_prefix = "WebServer-Highly-Available-LC-"
59 | image_id = data.aws_ami.latest_amazon_linux.id
60 | instance_type = "t3.micro"
61 | security_groups = [aws_security_group.web.id]
62 | user_data = file("user_data.sh")
63 |
64 | lifecycle {
65 | create_before_destroy = true
66 | }
67 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.web
File: /Lesson-11-ELB-LaunchConfiguration/main.tf:56-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
56 | resource "aws_launch_configuration" "web" {
57 | // name = "WebServer-Highly-Available-LC"
58 | name_prefix = "WebServer-Highly-Available-LC-"
59 | image_id = data.aws_ami.latest_amazon_linux.id
60 | instance_type = "t3.micro"
61 | security_groups = [aws_security_group.web.id]
62 | user_data = file("user_data.sh")
63 |
64 | lifecycle {
65 | create_before_destroy = true
66 | }
67 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.web
File: /Lesson-11-ELB-LaunchConfiguration/main.tf:71-97
71 | resource "aws_autoscaling_group" "web" {
72 | name = "ASG-${aws_launch_configuration.web.name}"
73 | launch_configuration = aws_launch_configuration.web.name
74 | min_size = 2
75 | max_size = 2
76 | min_elb_capacity = 2
77 | health_check_type = "ELB"
78 | vpc_zone_identifier = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id]
79 | load_balancers = [aws_elb.web.name]
80 |
81 | dynamic "tag" {
82 | for_each = {
83 | Name = "WebServer in ASG"
84 | Owner = "Denis Astahov"
85 | TAGKEY = "TAGVALUE"
86 | }
87 | content {
88 | key = tag.key
89 | value = tag.value
90 | propagate_at_launch = true
91 | }
92 | }
93 |
94 | lifecycle {
95 | create_before_destroy = true
96 | }
97 | }
Check: CKV_AWS_92: "Ensure the ELB has access logging enabled"
FAILED for resource: aws_elb.web
File: /Lesson-11-ELB-LaunchConfiguration/main.tf:100-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.html
100 | resource "aws_elb" "web" {
101 | name = "WebServer-HA-ELB"
102 | availability_zones = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]]
103 | security_groups = [aws_security_group.web.id]
104 | listener {
105 | lb_port = 80
106 | lb_protocol = "http"
107 | instance_port = 80
108 | instance_protocol = "http"
109 | }
110 | health_check {
111 | healthy_threshold = 2
112 | unhealthy_threshold = 2
113 | timeout = 3
114 | target = "HTTP:80/"
115 | interval = 10
116 | }
117 | tags = {
118 | Name = "WebServer-Highly-Available-ELB"
119 | }
120 | }
Check: CKV_AWS_127: "Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager"
FAILED for resource: aws_elb.web
File: /Lesson-11-ELB-LaunchConfiguration/main.tf:100-120
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager.html
100 | resource "aws_elb" "web" {
101 | name = "WebServer-HA-ELB"
102 | availability_zones = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]]
103 | security_groups = [aws_security_group.web.id]
104 | listener {
105 | lb_port = 80
106 | lb_protocol = "http"
107 | instance_port = 80
108 | instance_protocol = "http"
109 | }
110 | health_check {
111 | healthy_threshold = 2
112 | unhealthy_threshold = 2
113 | timeout = 3
114 | target = "HTTP:80/"
115 | interval = 10
116 | }
117 | tags = {
118 | Name = "WebServer-Highly-Available-ELB"
119 | }
120 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-12/main.tf:15-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
15 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_server
File: /Lesson-12/main.tf:45-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
45 | resource "aws_instance" "my_server" {
46 | ami = data.aws_ami.latest_amazon_linux.id
47 | instance_type = var.instance_type
48 | vpc_security_group_ids = [aws_security_group.my_server.id]
49 | monitoring = var.enable_detailed_monitoring
50 |
51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" })
52 |
53 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_server
File: /Lesson-12/main.tf:45-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
45 | resource "aws_instance" "my_server" {
46 | ami = data.aws_ami.latest_amazon_linux.id
47 | instance_type = var.instance_type
48 | vpc_security_group_ids = [aws_security_group.my_server.id]
49 | monitoring = var.enable_detailed_monitoring
50 |
51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" })
52 |
53 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_server
File: /Lesson-12/main.tf:45-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
45 | resource "aws_instance" "my_server" {
46 | ami = data.aws_ami.latest_amazon_linux.id
47 | instance_type = var.instance_type
48 | vpc_security_group_ids = [aws_security_group.my_server.id]
49 | monitoring = var.enable_detailed_monitoring
50 |
51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" })
52 |
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_server
File: /Lesson-12/main.tf:45-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
45 | resource "aws_instance" "my_server" {
46 | ami = data.aws_ami.latest_amazon_linux.id
47 | instance_type = var.instance_type
48 | vpc_security_group_ids = [aws_security_group.my_server.id]
49 | monitoring = var.enable_detailed_monitoring
50 |
51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" })
52 |
53 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_server
File: /Lesson-12/main.tf:56-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
56 | resource "aws_security_group" "my_server" {
57 | name = "My Security Group"
58 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
59 |
60 | dynamic "ingress" {
61 | for_each = var.allow_ports
62 | content {
63 | from_port = ingress.value
64 | to_port = ingress.value
65 | protocol = "tcp"
66 | cidr_blocks = ["0.0.0.0/0"]
67 | }
68 | }
69 | egress {
70 | from_port = 0
71 | to_port = 0
72 | protocol = "-1"
73 | cidr_blocks = ["0.0.0.0/0"]
74 | }
75 |
76 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server SecurityGroup" })
77 |
78 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-13/main.tf:15-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
15 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_server
File: /Lesson-13/main.tf:45-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
45 | resource "aws_instance" "my_server" {
46 | ami = data.aws_ami.latest_amazon_linux.id
47 | instance_type = var.instance_type
48 | vpc_security_group_ids = [aws_security_group.my_server.id]
49 | monitoring = var.enable_detailed_monitoring
50 |
51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" })
52 |
53 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_server
File: /Lesson-13/main.tf:45-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
45 | resource "aws_instance" "my_server" {
46 | ami = data.aws_ami.latest_amazon_linux.id
47 | instance_type = var.instance_type
48 | vpc_security_group_ids = [aws_security_group.my_server.id]
49 | monitoring = var.enable_detailed_monitoring
50 |
51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" })
52 |
53 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_server
File: /Lesson-13/main.tf:45-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
45 | resource "aws_instance" "my_server" {
46 | ami = data.aws_ami.latest_amazon_linux.id
47 | instance_type = var.instance_type
48 | vpc_security_group_ids = [aws_security_group.my_server.id]
49 | monitoring = var.enable_detailed_monitoring
50 |
51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" })
52 |
53 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_server
File: /Lesson-13/main.tf:45-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
45 | resource "aws_instance" "my_server" {
46 | ami = data.aws_ami.latest_amazon_linux.id
47 | instance_type = var.instance_type
48 | vpc_security_group_ids = [aws_security_group.my_server.id]
49 | monitoring = var.enable_detailed_monitoring
50 |
51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" })
52 |
53 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_server
File: /Lesson-13/main.tf:56-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
56 | resource "aws_security_group" "my_server" {
57 | name = "My Security Group"
58 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
59 |
60 | dynamic "ingress" {
61 | for_each = var.allow_ports
62 | content {
63 | from_port = ingress.value
64 | to_port = ingress.value
65 | protocol = "tcp"
66 | cidr_blocks = ["0.0.0.0/0"]
67 | }
68 | }
69 | egress {
70 | from_port = 0
71 | to_port = 0
72 | protocol = "-1"
73 | cidr_blocks = ["0.0.0.0/0"]
74 | }
75 |
76 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server SecurityGroup" })
77 |
78 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.myserver
File: /Lesson-15/main.tf:50-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
50 | resource "aws_instance" "myserver" {
51 | ami = "ami-08a9b721ecc5b0a53"
52 | instance_type = "t3.micro"
53 | provisioner "local-exec" {
54 | command = "echo Hello from AWS Instance Creations!"
55 | }
56 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.myserver
File: /Lesson-15/main.tf:50-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
50 | resource "aws_instance" "myserver" {
51 | ami = "ami-08a9b721ecc5b0a53"
52 | instance_type = "t3.micro"
53 | provisioner "local-exec" {
54 | command = "echo Hello from AWS Instance Creations!"
55 | }
56 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.myserver
File: /Lesson-15/main.tf:50-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
50 | resource "aws_instance" "myserver" {
51 | ami = "ami-08a9b721ecc5b0a53"
52 | instance_type = "t3.micro"
53 | provisioner "local-exec" {
54 | command = "echo Hello from AWS Instance Creations!"
55 | }
56 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.myserver
File: /Lesson-15/main.tf:50-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
50 | resource "aws_instance" "myserver" {
51 | ami = "ami-08a9b721ecc5b0a53"
52 | instance_type = "t3.micro"
53 | provisioner "local-exec" {
54 | command = "echo Hello from AWS Instance Creations!"
55 | }
56 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: aws_ssm_parameter.rds_password
File: /Lesson-16/main.tf:28-33
28 | resource "aws_ssm_parameter" "rds_password" {
29 | name = "/prod/mysql"
30 | description = "Master Password for RDS MySQL"
31 | type = "SecureString"
32 | value = random_string.rds_password.result
33 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.default
File: /Lesson-16/main.tf:43-56
43 | resource "aws_db_instance" "default" {
44 | identifier = "prod-rds"
45 | allocated_storage = 20
46 | storage_type = "gp2"
47 | engine = "mysql"
48 | engine_version = "5.7"
49 | instance_class = "db.t2.micro"
50 | name = "prod"
51 | username = "administrator"
52 | password = data.aws_ssm_parameter.my_rds_password.value
53 | parameter_group_name = "default.mysql5.7"
54 | skip_final_snapshot = true
55 | apply_immediately = true
56 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.default
File: /Lesson-16/main.tf:43-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
43 | resource "aws_db_instance" "default" {
44 | identifier = "prod-rds"
45 | allocated_storage = 20
46 | storage_type = "gp2"
47 | engine = "mysql"
48 | engine_version = "5.7"
49 | instance_class = "db.t2.micro"
50 | name = "prod"
51 | username = "administrator"
52 | password = data.aws_ssm_parameter.my_rds_password.value
53 | parameter_group_name = "default.mysql5.7"
54 | skip_final_snapshot = true
55 | apply_immediately = true
56 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.default
File: /Lesson-16/main.tf:43-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
43 | resource "aws_db_instance" "default" {
44 | identifier = "prod-rds"
45 | allocated_storage = 20
46 | storage_type = "gp2"
47 | engine = "mysql"
48 | engine_version = "5.7"
49 | instance_class = "db.t2.micro"
50 | name = "prod"
51 | username = "administrator"
52 | password = data.aws_ssm_parameter.my_rds_password.value
53 | parameter_group_name = "default.mysql5.7"
54 | skip_final_snapshot = true
55 | apply_immediately = true
56 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.default
File: /Lesson-16/main.tf:43-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
43 | resource "aws_db_instance" "default" {
44 | identifier = "prod-rds"
45 | allocated_storage = 20
46 | storage_type = "gp2"
47 | engine = "mysql"
48 | engine_version = "5.7"
49 | instance_class = "db.t2.micro"
50 | name = "prod"
51 | username = "administrator"
52 | password = data.aws_ssm_parameter.my_rds_password.value
53 | parameter_group_name = "default.mysql5.7"
54 | skip_final_snapshot = true
55 | apply_immediately = true
56 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.default
File: /Lesson-16/main.tf:43-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
43 | resource "aws_db_instance" "default" {
44 | identifier = "prod-rds"
45 | allocated_storage = 20
46 | storage_type = "gp2"
47 | engine = "mysql"
48 | engine_version = "5.7"
49 | instance_class = "db.t2.micro"
50 | name = "prod"
51 | username = "administrator"
52 | password = data.aws_ssm_parameter.my_rds_password.value
53 | parameter_group_name = "default.mysql5.7"
54 | skip_final_snapshot = true
55 | apply_immediately = true
56 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.default
File: /Lesson-16/main.tf:43-56
43 | resource "aws_db_instance" "default" {
44 | identifier = "prod-rds"
45 | allocated_storage = 20
46 | storage_type = "gp2"
47 | engine = "mysql"
48 | engine_version = "5.7"
49 | instance_class = "db.t2.micro"
50 | name = "prod"
51 | username = "administrator"
52 | password = data.aws_ssm_parameter.my_rds_password.value
53 | parameter_group_name = "default.mysql5.7"
54 | skip_final_snapshot = true
55 | apply_immediately = true
56 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.default
File: /Lesson-16/main.tf:43-56
43 | resource "aws_db_instance" "default" {
44 | identifier = "prod-rds"
45 | allocated_storage = 20
46 | storage_type = "gp2"
47 | engine = "mysql"
48 | engine_version = "5.7"
49 | instance_class = "db.t2.micro"
50 | name = "prod"
51 | username = "administrator"
52 | password = data.aws_ssm_parameter.my_rds_password.value
53 | parameter_group_name = "default.mysql5.7"
54 | skip_final_snapshot = true
55 | apply_immediately = true
56 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.default
File: /Lesson-16/main.tf:43-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
43 | resource "aws_db_instance" "default" {
44 | identifier = "prod-rds"
45 | allocated_storage = 20
46 | storage_type = "gp2"
47 | engine = "mysql"
48 | engine_version = "5.7"
49 | instance_class = "db.t2.micro"
50 | name = "prod"
51 | username = "administrator"
52 | password = data.aws_ssm_parameter.my_rds_password.value
53 | parameter_group_name = "default.mysql5.7"
54 | skip_final_snapshot = true
55 | apply_immediately = true
56 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.default
File: /Lesson-16/main.tf:43-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
43 | resource "aws_db_instance" "default" {
44 | identifier = "prod-rds"
45 | allocated_storage = 20
46 | storage_type = "gp2"
47 | engine = "mysql"
48 | engine_version = "5.7"
49 | instance_class = "db.t2.micro"
50 | name = "prod"
51 | username = "administrator"
52 | password = data.aws_ssm_parameter.my_rds_password.value
53 | parameter_group_name = "default.mysql5.7"
54 | skip_final_snapshot = true
55 | apply_immediately = true
56 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-17/main.tf:13-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
13 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_webserver1
File: /Lesson-17/main.tf:16-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
16 | resource "aws_instance" "my_webserver1" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | //instance_type = (var.env == "prod" ? "t2.large" : "t2.micro")
19 | instance_type = var.env == "prod" ? var.ec2_size["prod"] : var.ec2_size["dev"]
20 |
21 | tags = {
22 | Name = "${var.env}-server"
23 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner
24 | }
25 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_webserver1
File: /Lesson-17/main.tf:16-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "my_webserver1" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | //instance_type = (var.env == "prod" ? "t2.large" : "t2.micro")
19 | instance_type = var.env == "prod" ? var.ec2_size["prod"] : var.ec2_size["dev"]
20 |
21 | tags = {
22 | Name = "${var.env}-server"
23 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner
24 | }
25 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_webserver1
File: /Lesson-17/main.tf:16-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "my_webserver1" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | //instance_type = (var.env == "prod" ? "t2.large" : "t2.micro")
19 | instance_type = var.env == "prod" ? var.ec2_size["prod"] : var.ec2_size["dev"]
20 |
21 | tags = {
22 | Name = "${var.env}-server"
23 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner
24 | }
25 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_webserver1
File: /Lesson-17/main.tf:16-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "my_webserver1" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | //instance_type = (var.env == "prod" ? "t2.large" : "t2.micro")
19 | instance_type = var.env == "prod" ? var.ec2_size["prod"] : var.ec2_size["dev"]
20 |
21 | tags = {
22 | Name = "${var.env}-server"
23 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner
24 | }
25 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_webserver2
File: /Lesson-17/main.tf:28-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
28 | resource "aws_instance" "my_webserver2" {
29 | ami = "ami-03a71cec707bfc3d7"
30 | instance_type = lookup(var.ec2_size, var.env)
31 |
32 | tags = {
33 | Name = "${var.env}-server"
34 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner
35 | }
36 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_webserver2
File: /Lesson-17/main.tf:28-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
28 | resource "aws_instance" "my_webserver2" {
29 | ami = "ami-03a71cec707bfc3d7"
30 | instance_type = lookup(var.ec2_size, var.env)
31 |
32 | tags = {
33 | Name = "${var.env}-server"
34 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner
35 | }
36 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_webserver2
File: /Lesson-17/main.tf:28-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
28 | resource "aws_instance" "my_webserver2" {
29 | ami = "ami-03a71cec707bfc3d7"
30 | instance_type = lookup(var.ec2_size, var.env)
31 |
32 | tags = {
33 | Name = "${var.env}-server"
34 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner
35 | }
36 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_webserver2
File: /Lesson-17/main.tf:28-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
28 | resource "aws_instance" "my_webserver2" {
29 | ami = "ami-03a71cec707bfc3d7"
30 | instance_type = lookup(var.ec2_size, var.env)
31 |
32 | tags = {
33 | Name = "${var.env}-server"
34 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner
35 | }
36 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_dev_bastion
File: /Lesson-17/main.tf:40-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
40 | resource "aws_instance" "my_dev_bastion" {
41 | count = var.env == "dev" ? 1 : 0
42 | ami = "ami-03a71cec707bfc3d7"
43 | instance_type = "t2.micro"
44 |
45 | tags = {
46 | Name = "Bastion Server for Dev-server"
47 | }
48 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_dev_bastion
File: /Lesson-17/main.tf:40-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
40 | resource "aws_instance" "my_dev_bastion" {
41 | count = var.env == "dev" ? 1 : 0
42 | ami = "ami-03a71cec707bfc3d7"
43 | instance_type = "t2.micro"
44 |
45 | tags = {
46 | Name = "Bastion Server for Dev-server"
47 | }
48 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_dev_bastion
File: /Lesson-17/main.tf:40-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
40 | resource "aws_instance" "my_dev_bastion" {
41 | count = var.env == "dev" ? 1 : 0
42 | ami = "ami-03a71cec707bfc3d7"
43 | instance_type = "t2.micro"
44 |
45 | tags = {
46 | Name = "Bastion Server for Dev-server"
47 | }
48 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_dev_bastion
File: /Lesson-17/main.tf:40-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
40 | resource "aws_instance" "my_dev_bastion" {
41 | count = var.env == "dev" ? 1 : 0
42 | ami = "ami-03a71cec707bfc3d7"
43 | instance_type = "t2.micro"
44 |
45 | tags = {
46 | Name = "Bastion Server for Dev-server"
47 | }
48 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-17/main.tf:52-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
52 | resource "aws_security_group" "my_webserver" {
53 | name = "Dynamic Security Group"
54 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
55 |
56 | dynamic "ingress" {
57 | for_each = lookup(var.allow_port_list, var.env)
58 | content {
59 | from_port = ingress.value
60 | to_port = ingress.value
61 | protocol = "tcp"
62 | cidr_blocks = ["0.0.0.0/0"]
63 | }
64 | }
65 | egress {
66 | from_port = 0
67 | to_port = 0
68 | protocol = "-1"
69 | cidr_blocks = ["0.0.0.0/0"]
70 | }
71 |
72 | tags = {
73 | Name = "Dynamic SecurityGroup"
74 | Owner = "Denis Astahov"
75 | }
76 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.user1
File: /Lesson-18/main.tf:13-15
13 | resource "aws_iam_user" "user1" {
14 | name = "pushkin"
15 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.users[0]
File: /Lesson-18/main.tf:17-20
17 | resource "aws_iam_user" "users" {
18 | count = length(var.aws_users)
19 | name = element(var.aws_users, count.index)
20 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.servers[0]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.servers[0]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.servers[0]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.servers[0]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.users[1]
File: /Lesson-18/main.tf:17-20
17 | resource "aws_iam_user" "users" {
18 | count = length(var.aws_users)
19 | name = element(var.aws_users, count.index)
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.users[2]
File: /Lesson-18/main.tf:17-20
17 | resource "aws_iam_user" "users" {
18 | count = length(var.aws_users)
19 | name = element(var.aws_users, count.index)
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.users[3]
File: /Lesson-18/main.tf:17-20
17 | resource "aws_iam_user" "users" {
18 | count = length(var.aws_users)
19 | name = element(var.aws_users, count.index)
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.users[4]
File: /Lesson-18/main.tf:17-20
17 | resource "aws_iam_user" "users" {
18 | count = length(var.aws_users)
19 | name = element(var.aws_users, count.index)
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.users[5]
File: /Lesson-18/main.tf:17-20
17 | resource "aws_iam_user" "users" {
18 | count = length(var.aws_users)
19 | name = element(var.aws_users, count.index)
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.users[6]
File: /Lesson-18/main.tf:17-20
17 | resource "aws_iam_user" "users" {
18 | count = length(var.aws_users)
19 | name = element(var.aws_users, count.index)
20 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.users[7]
File: /Lesson-18/main.tf:17-20
17 | resource "aws_iam_user" "users" {
18 | count = length(var.aws_users)
19 | name = element(var.aws_users, count.index)
20 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.servers[1]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.servers[1]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.servers[1]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.servers[1]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.servers[2]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.servers[2]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.servers[2]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.servers[2]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_default_server
File: /Lesson-19/main.tf:67-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
67 | resource "aws_instance" "my_default_server" {
68 | instance_type = "t3.micro"
69 | ami = data.aws_ami.defaut_latest_ubuntu.id
70 | tags = {
71 | Name = "Default Server"
72 | }
73 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_default_server
File: /Lesson-19/main.tf:67-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
67 | resource "aws_instance" "my_default_server" {
68 | instance_type = "t3.micro"
69 | ami = data.aws_ami.defaut_latest_ubuntu.id
70 | tags = {
71 | Name = "Default Server"
72 | }
73 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_default_server
File: /Lesson-19/main.tf:67-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
67 | resource "aws_instance" "my_default_server" {
68 | instance_type = "t3.micro"
69 | ami = data.aws_ami.defaut_latest_ubuntu.id
70 | tags = {
71 | Name = "Default Server"
72 | }
73 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_default_server
File: /Lesson-19/main.tf:67-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
67 | resource "aws_instance" "my_default_server" {
68 | instance_type = "t3.micro"
69 | ami = data.aws_ami.defaut_latest_ubuntu.id
70 | tags = {
71 | Name = "Default Server"
72 | }
73 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_usa_server
File: /Lesson-19/main.tf:75-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
75 | resource "aws_instance" "my_usa_server" {
76 | provider = aws.USA
77 | instance_type = "t3.micro"
78 | ami = data.aws_ami.usa_latest_ubuntu.id
79 | tags = {
80 | Name = "USA Server"
81 | }
82 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_usa_server
File: /Lesson-19/main.tf:75-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
75 | resource "aws_instance" "my_usa_server" {
76 | provider = aws.USA
77 | instance_type = "t3.micro"
78 | ami = data.aws_ami.usa_latest_ubuntu.id
79 | tags = {
80 | Name = "USA Server"
81 | }
82 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_usa_server
File: /Lesson-19/main.tf:75-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
75 | resource "aws_instance" "my_usa_server" {
76 | provider = aws.USA
77 | instance_type = "t3.micro"
78 | ami = data.aws_ami.usa_latest_ubuntu.id
79 | tags = {
80 | Name = "USA Server"
81 | }
82 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_usa_server
File: /Lesson-19/main.tf:75-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
75 | resource "aws_instance" "my_usa_server" {
76 | provider = aws.USA
77 | instance_type = "t3.micro"
78 | ami = data.aws_ami.usa_latest_ubuntu.id
79 | tags = {
80 | Name = "USA Server"
81 | }
82 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_ger_server
File: /Lesson-19/main.tf:84-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
84 | resource "aws_instance" "my_ger_server" {
85 | provider = aws.GER
86 | instance_type = "t3.micro"
87 | ami = data.aws_ami.ger_latest_ubuntu.id
88 | tags = {
89 | Name = "GERMANY Server"
90 | }
91 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_ger_server
File: /Lesson-19/main.tf:84-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
84 | resource "aws_instance" "my_ger_server" {
85 | provider = aws.GER
86 | instance_type = "t3.micro"
87 | ami = data.aws_ami.ger_latest_ubuntu.id
88 | tags = {
89 | Name = "GERMANY Server"
90 | }
91 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_ger_server
File: /Lesson-19/main.tf:84-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
84 | resource "aws_instance" "my_ger_server" {
85 | provider = aws.GER
86 | instance_type = "t3.micro"
87 | ami = data.aws_ami.ger_latest_ubuntu.id
88 | tags = {
89 | Name = "GERMANY Server"
90 | }
91 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_ger_server
File: /Lesson-19/main.tf:84-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
84 | resource "aws_instance" "my_ger_server" {
85 | provider = aws.GER
86 | instance_type = "t3.micro"
87 | ami = data.aws_ami.ger_latest_ubuntu.id
88 | tags = {
89 | Name = "GERMANY Server"
90 | }
91 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_subnets[0]
File: /Lesson-20/Layer1-Network/main.tf:39-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
39 | resource "aws_subnet" "public_subnets" {
40 | count = length(var.public_subnet_cidrs)
41 | vpc_id = aws_vpc.main.id
42 | cidr_block = element(var.public_subnet_cidrs, count.index)
43 | availability_zone = data.aws_availability_zones.available.names[count.index]
44 | map_public_ip_on_launch = true
45 | tags = {
46 | Name = "${var.env}-puvlic-${count.index + 1}"
47 | }
48 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_subnets[1]
File: /Lesson-20/Layer1-Network/main.tf:39-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
39 | resource "aws_subnet" "public_subnets" {
40 | count = length(var.public_subnet_cidrs)
41 | vpc_id = aws_vpc.main.id
42 | cidr_block = element(var.public_subnet_cidrs, count.index)
43 | availability_zone = data.aws_availability_zones.available.names[count.index]
44 | map_public_ip_on_launch = true
45 | tags = {
46 | Name = "${var.env}-puvlic-${count.index + 1}"
47 | }
48 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web_server
File: /Lesson-20/Layer2-Servers/main.tf:42-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
42 | resource "aws_instance" "web_server" {
43 | ami = data.aws_ami.latest_amazon_linux.id
44 | instance_type = "t3.micro"
45 | vpc_security_group_ids = [aws_security_group.webserver.id]
46 | subnet_id = data.terraform_remote_state.network.outputs.public_subnet_ids[0]
47 | user_data = <WebServer with IP: $myip
Build by Terraform with Remote State" > /var/www/html/index.html
53 | sudo service httpd start
54 | chkconfig httpd on
55 | EOF
56 | tags = {
57 | Name = "${var.env}-WebServer"
58 | }
59 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web_server
File: /Lesson-20/Layer2-Servers/main.tf:42-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
42 | resource "aws_instance" "web_server" {
43 | ami = data.aws_ami.latest_amazon_linux.id
44 | instance_type = "t3.micro"
45 | vpc_security_group_ids = [aws_security_group.webserver.id]
46 | subnet_id = data.terraform_remote_state.network.outputs.public_subnet_ids[0]
47 | user_data = <WebServer with IP: $myip
Build by Terraform with Remote State" > /var/www/html/index.html
53 | sudo service httpd start
54 | chkconfig httpd on
55 | EOF
56 | tags = {
57 | Name = "${var.env}-WebServer"
58 | }
59 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web_server
File: /Lesson-20/Layer2-Servers/main.tf:42-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
42 | resource "aws_instance" "web_server" {
43 | ami = data.aws_ami.latest_amazon_linux.id
44 | instance_type = "t3.micro"
45 | vpc_security_group_ids = [aws_security_group.webserver.id]
46 | subnet_id = data.terraform_remote_state.network.outputs.public_subnet_ids[0]
47 | user_data = <WebServer with IP: $myip
Build by Terraform with Remote State" > /var/www/html/index.html
53 | sudo service httpd start
54 | chkconfig httpd on
55 | EOF
56 | tags = {
57 | Name = "${var.env}-WebServer"
58 | }
59 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web_server
File: /Lesson-20/Layer2-Servers/main.tf:42-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
42 | resource "aws_instance" "web_server" {
43 | ami = data.aws_ami.latest_amazon_linux.id
44 | instance_type = "t3.micro"
45 | vpc_security_group_ids = [aws_security_group.webserver.id]
46 | subnet_id = data.terraform_remote_state.network.outputs.public_subnet_ids[0]
47 | user_data = <WebServer with IP: $myip
Build by Terraform with Remote State" > /var/www/html/index.html
53 | sudo service httpd start
54 | chkconfig httpd on
55 | EOF
56 | tags = {
57 | Name = "${var.env}-WebServer"
58 | }
59 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.webserver
File: /Lesson-20/Layer2-Servers/main.tf:61-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
61 | resource "aws_security_group" "webserver" {
62 | name = "WebServer Security Group"
63 | vpc_id = data.terraform_remote_state.network.outputs.vpc_id
64 |
65 | ingress {
66 | from_port = 80
67 | to_port = 80
68 | protocol = "tcp"
69 | cidr_blocks = ["0.0.0.0/0"]
70 | }
71 |
72 | ingress {
73 | from_port = 22
74 | to_port = 22
75 | protocol = "tcp"
76 | cidr_blocks = [data.terraform_remote_state.network.outputs.vpc_cidr]
77 | }
78 | egress {
79 | from_port = 0
80 | to_port = 0
81 | protocol = "-1"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 |
85 | tags = {
86 | Name = "${var.env}-web-server-sg"
87 | Owner = "Denis Astahov"
88 | }
89 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.webserver
File: /Lesson-20/Layer2-Servers/main.tf:61-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
61 | resource "aws_security_group" "webserver" {
62 | name = "WebServer Security Group"
63 | vpc_id = data.terraform_remote_state.network.outputs.vpc_id
64 |
65 | ingress {
66 | from_port = 80
67 | to_port = 80
68 | protocol = "tcp"
69 | cidr_blocks = ["0.0.0.0/0"]
70 | }
71 |
72 | ingress {
73 | from_port = 22
74 | to_port = 22
75 | protocol = "tcp"
76 | cidr_blocks = [data.terraform_remote_state.network.outputs.vpc_cidr]
77 | }
78 | egress {
79 | from_port = 0
80 | to_port = 0
81 | protocol = "-1"
82 | cidr_blocks = ["0.0.0.0/0"]
83 | }
84 |
85 | tags = {
86 | Name = "${var.env}-web-server-sg"
87 | Owner = "Denis Astahov"
88 | }
89 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc-default.aws_subnet.public_subnets[0]
File: /Lesson-21/modules/aws_network/main.tf:32-41
Calling File: /Lesson-21/projectA/main.tf:12-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_subnets" {
33 | count = length(var.public_subnet_cidrs)
34 | vpc_id = aws_vpc.main.id
35 | cidr_block = element(var.public_subnet_cidrs, count.index)
36 | availability_zone = data.aws_availability_zones.available.names[count.index]
37 | map_public_ip_on_launch = true
38 | tags = {
39 | Name = "${var.env}-public-${count.index + 1}"
40 | }
41 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc-default.aws_subnet.public_subnets[1]
File: /Lesson-21/modules/aws_network/main.tf:32-41
Calling File: /Lesson-21/projectA/main.tf:12-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_subnets" {
33 | count = length(var.public_subnet_cidrs)
34 | vpc_id = aws_vpc.main.id
35 | cidr_block = element(var.public_subnet_cidrs, count.index)
36 | availability_zone = data.aws_availability_zones.available.names[count.index]
37 | map_public_ip_on_launch = true
38 | tags = {
39 | Name = "${var.env}-public-${count.index + 1}"
40 | }
41 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc-default.aws_subnet.public_subnets[2]
File: /Lesson-21/modules/aws_network/main.tf:32-41
Calling File: /Lesson-21/projectA/main.tf:12-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_subnets" {
33 | count = length(var.public_subnet_cidrs)
34 | vpc_id = aws_vpc.main.id
35 | cidr_block = element(var.public_subnet_cidrs, count.index)
36 | availability_zone = data.aws_availability_zones.available.names[count.index]
37 | map_public_ip_on_launch = true
38 | tags = {
39 | Name = "${var.env}-public-${count.index + 1}"
40 | }
41 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc-dev.aws_subnet.public_subnets[0]
File: /Lesson-21/modules/aws_network/main.tf:32-41
Calling File: /Lesson-21/projectA/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_subnets" {
33 | count = length(var.public_subnet_cidrs)
34 | vpc_id = aws_vpc.main.id
35 | cidr_block = element(var.public_subnet_cidrs, count.index)
36 | availability_zone = data.aws_availability_zones.available.names[count.index]
37 | map_public_ip_on_launch = true
38 | tags = {
39 | Name = "${var.env}-public-${count.index + 1}"
40 | }
41 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc-dev.aws_subnet.public_subnets[1]
File: /Lesson-21/modules/aws_network/main.tf:32-41
Calling File: /Lesson-21/projectA/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_subnets" {
33 | count = length(var.public_subnet_cidrs)
34 | vpc_id = aws_vpc.main.id
35 | cidr_block = element(var.public_subnet_cidrs, count.index)
36 | availability_zone = data.aws_availability_zones.available.names[count.index]
37 | map_public_ip_on_launch = true
38 | tags = {
39 | Name = "${var.env}-public-${count.index + 1}"
40 | }
41 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc-prod.aws_subnet.public_subnets[0]
File: /Lesson-21/modules/aws_network/main.tf:32-41
Calling File: /Lesson-21/projectA/main.tf:26-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_subnets" {
33 | count = length(var.public_subnet_cidrs)
34 | vpc_id = aws_vpc.main.id
35 | cidr_block = element(var.public_subnet_cidrs, count.index)
36 | availability_zone = data.aws_availability_zones.available.names[count.index]
37 | map_public_ip_on_launch = true
38 | tags = {
39 | Name = "${var.env}-public-${count.index + 1}"
40 | }
41 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc-prod.aws_subnet.public_subnets[1]
File: /Lesson-21/modules/aws_network/main.tf:32-41
Calling File: /Lesson-21/projectA/main.tf:26-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_subnets" {
33 | count = length(var.public_subnet_cidrs)
34 | vpc_id = aws_vpc.main.id
35 | cidr_block = element(var.public_subnet_cidrs, count.index)
36 | availability_zone = data.aws_availability_zones.available.names[count.index]
37 | map_public_ip_on_launch = true
38 | tags = {
39 | Name = "${var.env}-public-${count.index + 1}"
40 | }
41 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc-prod.aws_subnet.public_subnets[2]
File: /Lesson-21/modules/aws_network/main.tf:32-41
Calling File: /Lesson-21/projectA/main.tf:26-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_subnets" {
33 | count = length(var.public_subnet_cidrs)
34 | vpc_id = aws_vpc.main.id
35 | cidr_block = element(var.public_subnet_cidrs, count.index)
36 | availability_zone = data.aws_availability_zones.available.names[count.index]
37 | map_public_ip_on_launch = true
38 | tags = {
39 | Name = "${var.env}-public-${count.index + 1}"
40 | }
41 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc-test.aws_subnet.public_subnets[0]
File: /Lesson-21/modules/aws_network/main.tf:32-41
Calling File: /Lesson-21/projectA/main.tf:35-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_subnets" {
33 | count = length(var.public_subnet_cidrs)
34 | vpc_id = aws_vpc.main.id
35 | cidr_block = element(var.public_subnet_cidrs, count.index)
36 | availability_zone = data.aws_availability_zones.available.names[count.index]
37 | map_public_ip_on_launch = true
38 | tags = {
39 | Name = "${var.env}-public-${count.index + 1}"
40 | }
41 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: module.vpc-test.aws_subnet.public_subnets[1]
File: /Lesson-21/modules/aws_network/main.tf:32-41
Calling File: /Lesson-21/projectA/main.tf:35-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_subnets" {
33 | count = length(var.public_subnet_cidrs)
34 | vpc_id = aws_vpc.main.id
35 | cidr_block = element(var.public_subnet_cidrs, count.index)
36 | availability_zone = data.aws_availability_zones.available.names[count.index]
37 | map_public_ip_on_launch = true
38 | tags = {
39 | Name = "${var.env}-public-${count.index + 1}"
40 | }
41 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.my_server
File: /Lesson-24/main.tf:18-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
18 | resource "google_compute_instance" "my_server" {
19 | name = "my-gcp-server"
20 | machine_type = "f1-micro"
21 | boot_disk {
22 | initialize_params {
23 | image = "debian-cloud/debian-9"
24 | }
25 | }
26 |
27 | network_interface {
28 | network = "default"
29 | }
30 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.my_server
File: /Lesson-24/main.tf:18-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
18 | resource "google_compute_instance" "my_server" {
19 | name = "my-gcp-server"
20 | machine_type = "f1-micro"
21 | boot_disk {
22 | initialize_params {
23 | image = "debian-cloud/debian-9"
24 | }
25 | }
26 |
27 | network_interface {
28 | network = "default"
29 | }
30 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.my_server
File: /Lesson-24/main.tf:18-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
18 | resource "google_compute_instance" "my_server" {
19 | name = "my-gcp-server"
20 | machine_type = "f1-micro"
21 | boot_disk {
22 | initialize_params {
23 | image = "debian-cloud/debian-9"
24 | }
25 | }
26 |
27 | network_interface {
28 | network = "default"
29 | }
30 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance.my_server
File: /Lesson-24/main.tf:18-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
18 | resource "google_compute_instance" "my_server" {
19 | name = "my-gcp-server"
20 | machine_type = "f1-micro"
21 | boot_disk {
22 | initialize_params {
23 | image = "debian-cloud/debian-9"
24 | }
25 | }
26 |
27 | network_interface {
28 | network = "default"
29 | }
30 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node1
File: /Lesson-26/import-begin.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
6 | resource "aws_instance" "node1" {
7 |
8 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node1
File: /Lesson-26/import-begin.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
6 | resource "aws_instance" "node1" {
7 |
8 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node1
File: /Lesson-26/import-begin.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
6 | resource "aws_instance" "node1" {
7 |
8 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.node1
File: /Lesson-26/import-begin.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
6 | resource "aws_instance" "node1" {
7 |
8 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node2
File: /Lesson-26/import-begin.tf:10-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
10 | resource "aws_instance" "node2" {
11 |
12 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node2
File: /Lesson-26/import-begin.tf:10-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
10 | resource "aws_instance" "node2" {
11 |
12 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node2
File: /Lesson-26/import-begin.tf:10-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
10 | resource "aws_instance" "node2" {
11 |
12 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.node2
File: /Lesson-26/import-begin.tf:10-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
10 | resource "aws_instance" "node2" {
11 |
12 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node3
File: /Lesson-26/import-begin.tf:14-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
14 | resource "aws_instance" "node3" {
15 |
16 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node3
File: /Lesson-26/import-begin.tf:14-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
14 | resource "aws_instance" "node3" {
15 |
16 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node3
File: /Lesson-26/import-begin.tf:14-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
14 | resource "aws_instance" "node3" {
15 |
16 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.node3
File: /Lesson-26/import-begin.tf:14-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
14 | resource "aws_instance" "node3" {
15 |
16 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.nomad
File: /Lesson-26/import-begin.tf:18-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
18 | resource "aws_security_group" "nomad" {
19 |
20 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node1
File: /Lesson-26/import-finish.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "node1" {
2 | ami = "ami-0a634ae95e11c6f91"
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.nomad.id]
5 | ebs_optimized = true
6 | tags = {
7 | Name = "Nomad Ubuntu Node-1"
8 | Owner = "Denis Astahov"
9 | }
10 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node1
File: /Lesson-26/import-finish.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "node1" {
2 | ami = "ami-0a634ae95e11c6f91"
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.nomad.id]
5 | ebs_optimized = true
6 | tags = {
7 | Name = "Nomad Ubuntu Node-1"
8 | Owner = "Denis Astahov"
9 | }
10 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node1
File: /Lesson-26/import-finish.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "node1" {
2 | ami = "ami-0a634ae95e11c6f91"
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.nomad.id]
5 | ebs_optimized = true
6 | tags = {
7 | Name = "Nomad Ubuntu Node-1"
8 | Owner = "Denis Astahov"
9 | }
10 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node2
File: /Lesson-26/import-finish.tf:12-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
12 | resource "aws_instance" "node2" {
13 | ami = "ami-0a634ae95e11c6f91"
14 | instance_type = "t3.micro"
15 | vpc_security_group_ids = [aws_security_group.nomad.id]
16 | ebs_optimized = true
17 | tags = {
18 | Name = "Nomad Ubuntu Node-2"
19 | Owner = "Denis Astahov"
20 | }
21 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node2
File: /Lesson-26/import-finish.tf:12-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
12 | resource "aws_instance" "node2" {
13 | ami = "ami-0a634ae95e11c6f91"
14 | instance_type = "t3.micro"
15 | vpc_security_group_ids = [aws_security_group.nomad.id]
16 | ebs_optimized = true
17 | tags = {
18 | Name = "Nomad Ubuntu Node-2"
19 | Owner = "Denis Astahov"
20 | }
21 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node2
File: /Lesson-26/import-finish.tf:12-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
12 | resource "aws_instance" "node2" {
13 | ami = "ami-0a634ae95e11c6f91"
14 | instance_type = "t3.micro"
15 | vpc_security_group_ids = [aws_security_group.nomad.id]
16 | ebs_optimized = true
17 | tags = {
18 | Name = "Nomad Ubuntu Node-2"
19 | Owner = "Denis Astahov"
20 | }
21 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node3
File: /Lesson-26/import-finish.tf:23-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
23 | resource "aws_instance" "node3" {
24 | ami = "ami-0a634ae95e11c6f91"
25 | instance_type = "t3.micro"
26 | vpc_security_group_ids = [aws_security_group.nomad.id]
27 | ebs_optimized = true
28 | tags = {
29 | Name = "Nomad Ubuntu Node-3"
30 | Owner = "Denis Astahov"
31 | }
32 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node3
File: /Lesson-26/import-finish.tf:23-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
23 | resource "aws_instance" "node3" {
24 | ami = "ami-0a634ae95e11c6f91"
25 | instance_type = "t3.micro"
26 | vpc_security_group_ids = [aws_security_group.nomad.id]
27 | ebs_optimized = true
28 | tags = {
29 | Name = "Nomad Ubuntu Node-3"
30 | Owner = "Denis Astahov"
31 | }
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node3
File: /Lesson-26/import-finish.tf:23-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
23 | resource "aws_instance" "node3" {
24 | ami = "ami-0a634ae95e11c6f91"
25 | instance_type = "t3.micro"
26 | vpc_security_group_ids = [aws_security_group.nomad.id]
27 | ebs_optimized = true
28 | tags = {
29 | Name = "Nomad Ubuntu Node-3"
30 | Owner = "Denis Astahov"
31 | }
32 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-26/import-finish.tf:34-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
34 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.nomad
File: /Lesson-26/import-finish.tf:35-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
35 | resource "aws_security_group" "nomad" {
36 | description = "Nomad"
37 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
38 |
39 | ingress {
40 | from_port = 0
41 | to_port = 65535
42 | protocol = "tcp"
43 | cidr_blocks = ["0.0.0.0/0"]
44 | }
45 | egress {
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 | tags = {
52 | Name = "Nomad Cluster"
53 | Owner = "Denis Astahov"
54 | }
55 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.nomad
File: /Lesson-26/import-finish.tf:35-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
35 | resource "aws_security_group" "nomad" {
36 | description = "Nomad"
37 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
38 |
39 | ingress {
40 | from_port = 0
41 | to_port = 65535
42 | protocol = "tcp"
43 | cidr_blocks = ["0.0.0.0/0"]
44 | }
45 | egress {
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 | tags = {
52 | Name = "Nomad Cluster"
53 | Owner = "Denis Astahov"
54 | }
55 | }
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
FAILED for resource: aws_security_group.nomad
File: /Lesson-26/import-finish.tf:35-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-2.html
35 | resource "aws_security_group" "nomad" {
36 | description = "Nomad"
37 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
38 |
39 | ingress {
40 | from_port = 0
41 | to_port = 65535
42 | protocol = "tcp"
43 | cidr_blocks = ["0.0.0.0/0"]
44 | }
45 | egress {
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 | tags = {
52 | Name = "Nomad Cluster"
53 | Owner = "Denis Astahov"
54 | }
55 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.nomad
File: /Lesson-26/import-finish.tf:35-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
35 | resource "aws_security_group" "nomad" {
36 | description = "Nomad"
37 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
38 |
39 | ingress {
40 | from_port = 0
41 | to_port = 65535
42 | protocol = "tcp"
43 | cidr_blocks = ["0.0.0.0/0"]
44 | }
45 | egress {
46 | from_port = 0
47 | to_port = 0
48 | protocol = "-1"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 | tags = {
52 | Name = "Nomad Cluster"
53 | Owner = "Denis Astahov"
54 | }
55 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node1
File: /Lesson-27-v0.15.2+/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
8 | resource "aws_instance" "node1" {
9 | ami = "ami-05655c267c89566dd"
10 | instance_type = "t3.micro"
11 | tags = {
12 | Name = "Node-1"
13 | Owner = "Denis Astahov"
14 | }
15 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node1
File: /Lesson-27-v0.15.2+/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
8 | resource "aws_instance" "node1" {
9 | ami = "ami-05655c267c89566dd"
10 | instance_type = "t3.micro"
11 | tags = {
12 | Name = "Node-1"
13 | Owner = "Denis Astahov"
14 | }
15 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node1
File: /Lesson-27-v0.15.2+/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
8 | resource "aws_instance" "node1" {
9 | ami = "ami-05655c267c89566dd"
10 | instance_type = "t3.micro"
11 | tags = {
12 | Name = "Node-1"
13 | Owner = "Denis Astahov"
14 | }
15 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.node1
File: /Lesson-27-v0.15.2+/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
8 | resource "aws_instance" "node1" {
9 | ami = "ami-05655c267c89566dd"
10 | instance_type = "t3.micro"
11 | tags = {
12 | Name = "Node-1"
13 | Owner = "Denis Astahov"
14 | }
15 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node2
File: /Lesson-27-v0.15.2+/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
17 | resource "aws_instance" "node2" {
18 | ami = "ami-05655c267c89566dd"
19 | instance_type = "t3.micro"
20 | tags = {
21 | Name = "Node-2"
22 | Owner = "Denis Astahov"
23 | }
24 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node2
File: /Lesson-27-v0.15.2+/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
17 | resource "aws_instance" "node2" {
18 | ami = "ami-05655c267c89566dd"
19 | instance_type = "t3.micro"
20 | tags = {
21 | Name = "Node-2"
22 | Owner = "Denis Astahov"
23 | }
24 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node2
File: /Lesson-27-v0.15.2+/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
17 | resource "aws_instance" "node2" {
18 | ami = "ami-05655c267c89566dd"
19 | instance_type = "t3.micro"
20 | tags = {
21 | Name = "Node-2"
22 | Owner = "Denis Astahov"
23 | }
24 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.node2
File: /Lesson-27-v0.15.2+/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
17 | resource "aws_instance" "node2" {
18 | ami = "ami-05655c267c89566dd"
19 | instance_type = "t3.micro"
20 | tags = {
21 | Name = "Node-2"
22 | Owner = "Denis Astahov"
23 | }
24 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node3
File: /Lesson-27-v0.15.2+/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
26 | resource "aws_instance" "node3" {
27 | ami = "ami-05655c267c89566dd"
28 | instance_type = "t3.micro"
29 | tags = {
30 | Name = "Node-3"
31 | Owner = "Denis Astahov"
32 | }
33 | depends_on = [aws_instance.node2]
34 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node3
File: /Lesson-27-v0.15.2+/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
26 | resource "aws_instance" "node3" {
27 | ami = "ami-05655c267c89566dd"
28 | instance_type = "t3.micro"
29 | tags = {
30 | Name = "Node-3"
31 | Owner = "Denis Astahov"
32 | }
33 | depends_on = [aws_instance.node2]
34 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node3
File: /Lesson-27-v0.15.2+/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
26 | resource "aws_instance" "node3" {
27 | ami = "ami-05655c267c89566dd"
28 | instance_type = "t3.micro"
29 | tags = {
30 | Name = "Node-3"
31 | Owner = "Denis Astahov"
32 | }
33 | depends_on = [aws_instance.node2]
34 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.node3
File: /Lesson-27-v0.15.2+/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
26 | resource "aws_instance" "node3" {
27 | ami = "ami-05655c267c89566dd"
28 | instance_type = "t3.micro"
29 | tags = {
30 | Name = "Node-3"
31 | Owner = "Denis Astahov"
32 | }
33 | depends_on = [aws_instance.node2]
34 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node1
File: /Lesson-27/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
8 | resource "aws_instance" "node1" {
9 | ami = "ami-05655c267c89566dd"
10 | instance_type = "t3.micro"
11 | tags = {
12 | Name = "Node-1"
13 | Owner = "Denis Astahov"
14 | }
15 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node1
File: /Lesson-27/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
8 | resource "aws_instance" "node1" {
9 | ami = "ami-05655c267c89566dd"
10 | instance_type = "t3.micro"
11 | tags = {
12 | Name = "Node-1"
13 | Owner = "Denis Astahov"
14 | }
15 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node1
File: /Lesson-27/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
8 | resource "aws_instance" "node1" {
9 | ami = "ami-05655c267c89566dd"
10 | instance_type = "t3.micro"
11 | tags = {
12 | Name = "Node-1"
13 | Owner = "Denis Astahov"
14 | }
15 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.node1
File: /Lesson-27/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
8 | resource "aws_instance" "node1" {
9 | ami = "ami-05655c267c89566dd"
10 | instance_type = "t3.micro"
11 | tags = {
12 | Name = "Node-1"
13 | Owner = "Denis Astahov"
14 | }
15 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node2
File: /Lesson-27/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
17 | resource "aws_instance" "node2" {
18 | ami = "ami-05655c267c89566dd"
19 | instance_type = "t3.micro"
20 | tags = {
21 | Name = "Node-2"
22 | Owner = "Denis Astahov"
23 | }
24 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node2
File: /Lesson-27/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
17 | resource "aws_instance" "node2" {
18 | ami = "ami-05655c267c89566dd"
19 | instance_type = "t3.micro"
20 | tags = {
21 | Name = "Node-2"
22 | Owner = "Denis Astahov"
23 | }
24 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node2
File: /Lesson-27/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
17 | resource "aws_instance" "node2" {
18 | ami = "ami-05655c267c89566dd"
19 | instance_type = "t3.micro"
20 | tags = {
21 | Name = "Node-2"
22 | Owner = "Denis Astahov"
23 | }
24 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.node2
File: /Lesson-27/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
17 | resource "aws_instance" "node2" {
18 | ami = "ami-05655c267c89566dd"
19 | instance_type = "t3.micro"
20 | tags = {
21 | Name = "Node-2"
22 | Owner = "Denis Astahov"
23 | }
24 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.node3
File: /Lesson-27/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
26 | resource "aws_instance" "node3" {
27 | ami = "ami-05655c267c89566dd"
28 | instance_type = "t3.micro"
29 | tags = {
30 | Name = "Node-3"
31 | Owner = "Denis Astahov"
32 | }
33 | depends_on = [aws_instance.node2]
34 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.node3
File: /Lesson-27/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
26 | resource "aws_instance" "node3" {
27 | ami = "ami-05655c267c89566dd"
28 | instance_type = "t3.micro"
29 | tags = {
30 | Name = "Node-3"
31 | Owner = "Denis Astahov"
32 | }
33 | depends_on = [aws_instance.node2]
34 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.node3
File: /Lesson-27/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
26 | resource "aws_instance" "node3" {
27 | ami = "ami-05655c267c89566dd"
28 | instance_type = "t3.micro"
29 | tags = {
30 | Name = "Node-3"
31 | Owner = "Denis Astahov"
32 | }
33 | depends_on = [aws_instance.node2]
34 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.node3
File: /Lesson-27/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
26 | resource "aws_instance" "node3" {
27 | ami = "ami-05655c267c89566dd"
28 | instance_type = "t3.micro"
29 | tags = {
30 | Name = "Node-3"
31 | Owner = "Denis Astahov"
32 | }
33 | depends_on = [aws_instance.node2]
34 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web-prod
File: /Lesson-28/new-prod/web-prod.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "web-prod" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-prod.id]
5 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "PROD WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web-prod
File: /Lesson-28/new-prod/web-prod.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "web-prod" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-prod.id]
5 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "PROD WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web-prod
File: /Lesson-28/new-prod/web-prod.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "web-prod" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-prod.id]
5 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "PROD WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web-prod
File: /Lesson-28/new-prod/web-prod.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "web-prod" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-prod.id]
5 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "PROD WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-28/new-prod/web-prod.tf:21-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
21 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web-prod
File: /Lesson-28/new-prod/web-prod.tf:23-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
23 | resource "aws_security_group" "web-prod" {
24 | name = "WebServer SG Prod"
25 | description = "My First SecurityGroup"
26 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
27 |
28 | ingress {
29 | from_port = 80
30 | to_port = 80
31 | protocol = "tcp"
32 | cidr_blocks = ["0.0.0.0/0"]
33 | }
34 |
35 | egress {
36 | from_port = 0
37 | to_port = 0
38 | protocol = "-1"
39 | cidr_blocks = ["0.0.0.0/0"]
40 | }
41 |
42 | tags = {
43 | Name = "Web Server SecurityGroup"
44 | Owner = "Denis Astahov"
45 | }
46 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.web-prod
File: /Lesson-28/new-prod/web-prod.tf:23-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
23 | resource "aws_security_group" "web-prod" {
24 | name = "WebServer SG Prod"
25 | description = "My First SecurityGroup"
26 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
27 |
28 | ingress {
29 | from_port = 80
30 | to_port = 80
31 | protocol = "tcp"
32 | cidr_blocks = ["0.0.0.0/0"]
33 | }
34 |
35 | egress {
36 | from_port = 0
37 | to_port = 0
38 | protocol = "-1"
39 | cidr_blocks = ["0.0.0.0/0"]
40 | }
41 |
42 | tags = {
43 | Name = "Web Server SecurityGroup"
44 | Owner = "Denis Astahov"
45 | }
46 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web-stag
File: /Lesson-28/new-staging/web-stag.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "web-stag" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-stag.id]
5 | user_data = <STAG WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "STAG WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web-stag
File: /Lesson-28/new-staging/web-stag.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "web-stag" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-stag.id]
5 | user_data = <STAG WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "STAG WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web-stag
File: /Lesson-28/new-staging/web-stag.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "web-stag" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-stag.id]
5 | user_data = <STAG WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "STAG WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web-stag
File: /Lesson-28/new-staging/web-stag.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "web-stag" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-stag.id]
5 | user_data = <STAG WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "STAG WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-28/new-staging/web-stag.tf:21-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
21 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web-stag
File: /Lesson-28/new-staging/web-stag.tf:23-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
23 | resource "aws_security_group" "web-stag" {
24 | name = "WebServer SG Stag"
25 | description = "My First SecurityGroup"
26 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
27 |
28 | ingress {
29 | from_port = 80
30 | to_port = 80
31 | protocol = "tcp"
32 | cidr_blocks = ["0.0.0.0/0"]
33 | }
34 |
35 | egress {
36 | from_port = 0
37 | to_port = 0
38 | protocol = "-1"
39 | cidr_blocks = ["0.0.0.0/0"]
40 | }
41 |
42 | tags = {
43 | Name = "Web Server SecurityGroup"
44 | Owner = "Denis Astahov"
45 | }
46 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.web-stag
File: /Lesson-28/new-staging/web-stag.tf:23-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
23 | resource "aws_security_group" "web-stag" {
24 | name = "WebServer SG Stag"
25 | description = "My First SecurityGroup"
26 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
27 |
28 | ingress {
29 | from_port = 80
30 | to_port = 80
31 | protocol = "tcp"
32 | cidr_blocks = ["0.0.0.0/0"]
33 | }
34 |
35 | egress {
36 | from_port = 0
37 | to_port = 0
38 | protocol = "-1"
39 | cidr_blocks = ["0.0.0.0/0"]
40 | }
41 |
42 | tags = {
43 | Name = "Web Server SecurityGroup"
44 | Owner = "Denis Astahov"
45 | }
46 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-28/old-all/main.tf:13-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
13 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web-prod
File: /Lesson-28/old-all/web-prod.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "web-prod" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-prod.id]
5 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "PROD WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web-prod
File: /Lesson-28/old-all/web-prod.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "web-prod" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-prod.id]
5 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "PROD WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web-prod
File: /Lesson-28/old-all/web-prod.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "web-prod" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-prod.id]
5 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "PROD WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web-prod
File: /Lesson-28/old-all/web-prod.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "web-prod" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-prod.id]
5 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "PROD WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web-prod
File: /Lesson-28/old-all/web-prod.tf:21-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
21 | resource "aws_security_group" "web-prod" {
22 | name = "WebServer SG Prod"
23 | description = "My First SecurityGroup"
24 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
25 |
26 | ingress {
27 | from_port = 80
28 | to_port = 80
29 | protocol = "tcp"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 |
33 | egress {
34 | from_port = 0
35 | to_port = 0
36 | protocol = "-1"
37 | cidr_blocks = ["0.0.0.0/0"]
38 | }
39 |
40 | tags = {
41 | Name = "Web Server SecurityGroup"
42 | Owner = "Denis Astahov"
43 | }
44 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.web-prod
File: /Lesson-28/old-all/web-prod.tf:21-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
21 | resource "aws_security_group" "web-prod" {
22 | name = "WebServer SG Prod"
23 | description = "My First SecurityGroup"
24 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
25 |
26 | ingress {
27 | from_port = 80
28 | to_port = 80
29 | protocol = "tcp"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 |
33 | egress {
34 | from_port = 0
35 | to_port = 0
36 | protocol = "-1"
37 | cidr_blocks = ["0.0.0.0/0"]
38 | }
39 |
40 | tags = {
41 | Name = "Web Server SecurityGroup"
42 | Owner = "Denis Astahov"
43 | }
44 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web-stag
File: /Lesson-28/old-all/web-stag.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "web-stag" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-stag.id]
5 | user_data = <STAG WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "STAG WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web-stag
File: /Lesson-28/old-all/web-stag.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "web-stag" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-stag.id]
5 | user_data = <STAG WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "STAG WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web-stag
File: /Lesson-28/old-all/web-stag.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "web-stag" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-stag.id]
5 | user_data = <STAG WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "STAG WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web-stag
File: /Lesson-28/old-all/web-stag.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "web-stag" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-stag.id]
5 | user_data = <STAG WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "STAG WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web-stag
File: /Lesson-28/old-all/web-stag.tf:21-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
21 | resource "aws_security_group" "web-stag" {
22 | name = "WebServer SG Stag"
23 | description = "My First SecurityGroup"
24 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
25 |
26 | ingress {
27 | from_port = 80
28 | to_port = 80
29 | protocol = "tcp"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 |
33 | egress {
34 | from_port = 0
35 | to_port = 0
36 | protocol = "-1"
37 | cidr_blocks = ["0.0.0.0/0"]
38 | }
39 |
40 | tags = {
41 | Name = "Web Server SecurityGroup"
42 | Owner = "Denis Astahov"
43 | }
44 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.web-stag
File: /Lesson-28/old-all/web-stag.tf:21-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
21 | resource "aws_security_group" "web-stag" {
22 | name = "WebServer SG Stag"
23 | description = "My First SecurityGroup"
24 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
25 |
26 | ingress {
27 | from_port = 80
28 | to_port = 80
29 | protocol = "tcp"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 |
33 | egress {
34 | from_port = 0
35 | to_port = 0
36 | protocol = "-1"
37 | cidr_blocks = ["0.0.0.0/0"]
38 | }
39 |
40 | tags = {
41 | Name = "Web Server SecurityGroup"
42 | Owner = "Denis Astahov"
43 | }
44 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /Lesson-29/main.tf:10-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
10 | resource "aws_instance" "web" {
11 | ami = data.aws_ami.latest_amazon_linux.id
12 | instance_type = "t3.micro"
13 | vpc_security_group_ids = [aws_security_group.web.id]
14 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
20 | sudo service httpd start
21 | chkconfig httpd on
22 | EOF
23 |
24 | tags = {
25 | Name = "PROD WebServer - ${terraform.workspace}"
26 | Owner = "Denis Astahov"
27 | }
28 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /Lesson-29/main.tf:10-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
10 | resource "aws_instance" "web" {
11 | ami = data.aws_ami.latest_amazon_linux.id
12 | instance_type = "t3.micro"
13 | vpc_security_group_ids = [aws_security_group.web.id]
14 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
20 | sudo service httpd start
21 | chkconfig httpd on
22 | EOF
23 |
24 | tags = {
25 | Name = "PROD WebServer - ${terraform.workspace}"
26 | Owner = "Denis Astahov"
27 | }
28 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /Lesson-29/main.tf:10-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
10 | resource "aws_instance" "web" {
11 | ami = data.aws_ami.latest_amazon_linux.id
12 | instance_type = "t3.micro"
13 | vpc_security_group_ids = [aws_security_group.web.id]
14 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
20 | sudo service httpd start
21 | chkconfig httpd on
22 | EOF
23 |
24 | tags = {
25 | Name = "PROD WebServer - ${terraform.workspace}"
26 | Owner = "Denis Astahov"
27 | }
28 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /Lesson-29/main.tf:10-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
10 | resource "aws_instance" "web" {
11 | ami = data.aws_ami.latest_amazon_linux.id
12 | instance_type = "t3.micro"
13 | vpc_security_group_ids = [aws_security_group.web.id]
14 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
20 | sudo service httpd start
21 | chkconfig httpd on
22 | EOF
23 |
24 | tags = {
25 | Name = "PROD WebServer - ${terraform.workspace}"
26 | Owner = "Denis Astahov"
27 | }
28 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-29/main.tf:30-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
30 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web
File: /Lesson-29/main.tf:32-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
32 | resource "aws_security_group" "web" {
33 | name_prefix = "WebServer SG Prod"
34 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
35 |
36 | ingress {
37 | from_port = 80
38 | to_port = 80
39 | protocol = "tcp"
40 | cidr_blocks = ["0.0.0.0/0"]
41 | }
42 | egress {
43 | from_port = 0
44 | to_port = 0
45 | protocol = "-1"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | tags = {
50 | Name = "Web Server SecurityGroup - ${terraform.workspace}"
51 | Owner = "Denis Astahov"
52 | }
53 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.web
File: /Lesson-29/main.tf:32-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
32 | resource "aws_security_group" "web" {
33 | name_prefix = "WebServer SG Prod"
34 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
35 |
36 | ingress {
37 | from_port = 80
38 | to_port = 80
39 | protocol = "tcp"
40 | cidr_blocks = ["0.0.0.0/0"]
41 | }
42 | egress {
43 | from_port = 0
44 | to_port = 0
45 | protocol = "-1"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | tags = {
50 | Name = "Web Server SecurityGroup - ${terraform.workspace}"
51 | Owner = "Denis Astahov"
52 | }
53 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /Lesson-30/main.tf:10-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
10 | resource "aws_instance" "web" {
11 | ami = data.aws_ami.latest_amazon_linux.id
12 | instance_type = var.server_size
13 | vpc_security_group_ids = [aws_security_group.web.id]
14 | user_data = <${var.server_name}-WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
20 | sudo service httpd start
21 | chkconfig httpd on
22 | EOF
23 |
24 | tags = {
25 | Name = "${var.server_name}-WebServer"
26 | Owner = "Denis Astahov"
27 | }
28 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /Lesson-30/main.tf:10-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
10 | resource "aws_instance" "web" {
11 | ami = data.aws_ami.latest_amazon_linux.id
12 | instance_type = var.server_size
13 | vpc_security_group_ids = [aws_security_group.web.id]
14 | user_data = <${var.server_name}-WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
20 | sudo service httpd start
21 | chkconfig httpd on
22 | EOF
23 |
24 | tags = {
25 | Name = "${var.server_name}-WebServer"
26 | Owner = "Denis Astahov"
27 | }
28 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /Lesson-30/main.tf:10-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
10 | resource "aws_instance" "web" {
11 | ami = data.aws_ami.latest_amazon_linux.id
12 | instance_type = var.server_size
13 | vpc_security_group_ids = [aws_security_group.web.id]
14 | user_data = <${var.server_name}-WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
20 | sudo service httpd start
21 | chkconfig httpd on
22 | EOF
23 |
24 | tags = {
25 | Name = "${var.server_name}-WebServer"
26 | Owner = "Denis Astahov"
27 | }
28 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /Lesson-30/main.tf:10-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
10 | resource "aws_instance" "web" {
11 | ami = data.aws_ami.latest_amazon_linux.id
12 | instance_type = var.server_size
13 | vpc_security_group_ids = [aws_security_group.web.id]
14 | user_data = <${var.server_name}-WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
20 | sudo service httpd start
21 | chkconfig httpd on
22 | EOF
23 |
24 | tags = {
25 | Name = "${var.server_name}-WebServer"
26 | Owner = "Denis Astahov"
27 | }
28 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /Lesson-30/main.tf:30-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
30 | resource "aws_default_vpc" "default" {} # This need to be added since AWS Provider v4.29+ to get VPC id
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web
File: /Lesson-30/main.tf:32-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
32 | resource "aws_security_group" "web" {
33 | name_prefix = "${var.server_name}-WebServer-SG"
34 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
35 |
36 | ingress {
37 | from_port = 80
38 | to_port = 80
39 | protocol = "tcp"
40 | cidr_blocks = ["0.0.0.0/0"]
41 | }
42 | egress {
43 | from_port = 0
44 | to_port = 0
45 | protocol = "-1"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | tags = {
50 | Name = "${var.server_name}-WebServer SecurityGroup"
51 | Owner = "Denis Astahov"
52 | }
53 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.web
File: /Lesson-30/main.tf:32-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
32 | resource "aws_security_group" "web" {
33 | name_prefix = "${var.server_name}-WebServer-SG"
34 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
35 |
36 | ingress {
37 | from_port = 80
38 | to_port = 80
39 | protocol = "tcp"
40 | cidr_blocks = ["0.0.0.0/0"]
41 | }
42 | egress {
43 | from_port = 0
44 | to_port = 0
45 | protocol = "-1"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | tags = {
50 | Name = "${var.server_name}-WebServer SecurityGroup"
51 | Owner = "Denis Astahov"
52 | }
53 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.servers.aws_instance.server_root
File: /Lesson-32/module_servers/main.tf:46-51
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
46 | resource "aws_instance" "server_root" {
47 | provider = aws.root
48 | ami = data.aws_ami.latest_ubuntu20_root.id
49 | instance_type = var.instance_type
50 | tags = { Name = "Server-ROOT" }
51 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.servers.aws_instance.server_root
File: /Lesson-32/module_servers/main.tf:46-51
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
46 | resource "aws_instance" "server_root" {
47 | provider = aws.root
48 | ami = data.aws_ami.latest_ubuntu20_root.id
49 | instance_type = var.instance_type
50 | tags = { Name = "Server-ROOT" }
51 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.servers.aws_instance.server_root
File: /Lesson-32/module_servers/main.tf:46-51
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
46 | resource "aws_instance" "server_root" {
47 | provider = aws.root
48 | ami = data.aws_ami.latest_ubuntu20_root.id
49 | instance_type = var.instance_type
50 | tags = { Name = "Server-ROOT" }
51 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.servers.aws_instance.server_root
File: /Lesson-32/module_servers/main.tf:46-51
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
46 | resource "aws_instance" "server_root" {
47 | provider = aws.root
48 | ami = data.aws_ami.latest_ubuntu20_root.id
49 | instance_type = var.instance_type
50 | tags = { Name = "Server-ROOT" }
51 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.servers.aws_instance.server_prod
File: /Lesson-32/module_servers/main.tf:53-58
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
53 | resource "aws_instance" "server_prod" {
54 | provider = aws.prod
55 | ami = data.aws_ami.latest_ubuntu20_prod.id
56 | instance_type = var.instance_type
57 | tags = { Name = "Server-PROD" }
58 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.servers.aws_instance.server_prod
File: /Lesson-32/module_servers/main.tf:53-58
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
53 | resource "aws_instance" "server_prod" {
54 | provider = aws.prod
55 | ami = data.aws_ami.latest_ubuntu20_prod.id
56 | instance_type = var.instance_type
57 | tags = { Name = "Server-PROD" }
58 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.servers.aws_instance.server_prod
File: /Lesson-32/module_servers/main.tf:53-58
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
53 | resource "aws_instance" "server_prod" {
54 | provider = aws.prod
55 | ami = data.aws_ami.latest_ubuntu20_prod.id
56 | instance_type = var.instance_type
57 | tags = { Name = "Server-PROD" }
58 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.servers.aws_instance.server_prod
File: /Lesson-32/module_servers/main.tf:53-58
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
53 | resource "aws_instance" "server_prod" {
54 | provider = aws.prod
55 | ami = data.aws_ami.latest_ubuntu20_prod.id
56 | instance_type = var.instance_type
57 | tags = { Name = "Server-PROD" }
58 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: module.servers.aws_instance.server_dev
File: /Lesson-32/module_servers/main.tf:60-65
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
60 | resource "aws_instance" "server_dev" {
61 | provider = aws.dev
62 | ami = data.aws_ami.latest_ubuntu20_dev.id
63 | instance_type = var.instance_type
64 | tags = { Name = "Server-DEV" }
65 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: module.servers.aws_instance.server_dev
File: /Lesson-32/module_servers/main.tf:60-65
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
60 | resource "aws_instance" "server_dev" {
61 | provider = aws.dev
62 | ami = data.aws_ami.latest_ubuntu20_dev.id
63 | instance_type = var.instance_type
64 | tags = { Name = "Server-DEV" }
65 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: module.servers.aws_instance.server_dev
File: /Lesson-32/module_servers/main.tf:60-65
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
60 | resource "aws_instance" "server_dev" {
61 | provider = aws.dev
62 | ami = data.aws_ami.latest_ubuntu20_dev.id
63 | instance_type = var.instance_type
64 | tags = { Name = "Server-DEV" }
65 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: module.servers.aws_instance.server_dev
File: /Lesson-32/module_servers/main.tf:60-65
Calling File: /Lesson-32/main.tf:24-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
60 | resource "aws_instance" "server_dev" {
61 | provider = aws.dev
62 | ami = data.aws_ami.latest_ubuntu20_dev.id
63 | instance_type = var.instance_type
64 | tags = { Name = "Server-DEV" }
65 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.default
File: /Lesson-16/main.tf:43-56
43 | resource "aws_db_instance" "default" {
44 | identifier = "prod-rds"
45 | allocated_storage = 20
46 | storage_type = "gp2"
47 | engine = "mysql"
48 | engine_version = "5.7"
49 | instance_class = "db.t2.micro"
50 | name = "prod"
51 | username = "administrator"
52 | password = data.aws_ssm_parameter.my_rds_password.value
53 | parameter_group_name = "default.mysql5.7"
54 | skip_final_snapshot = true
55 | apply_immediately = true
56 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.myip-prod
File: /Lesson-28/old-all/main.tf:12-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
12 | resource "aws_eip" "myip-prod" {}
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.my_static_ip
File: /Lesson-14/main.tf:31-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
31 | resource "aws_eip" "my_static_ip" {
32 | vpc = true # Need to add in new AWS Provider version
33 | tags = {
34 | Name = "Static IP"
35 | Owner = var.owner
36 | Project = local.full_project_name
37 | proj_owner = local.project_owner
38 | city = local.city
39 | region_azs = local.az_list
40 | location = local.location
41 | }
42 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.vpc-default.aws_eip.nat[0]
File: /Lesson-21/modules/aws_network/main.tf:65-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
65 | resource "aws_eip" "nat" {
66 | count = length(var.private_subnet_cidrs)
67 | domain = "vpc"
68 | tags = {
69 | Name = "${var.env}-nat-gw-${count.index + 1}"
70 | }
71 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.vpc-prod.aws_eip.nat[0]
File: /Lesson-21/modules/aws_network/main.tf:65-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
65 | resource "aws_eip" "nat" {
66 | count = length(var.private_subnet_cidrs)
67 | domain = "vpc"
68 | tags = {
69 | Name = "${var.env}-nat-gw-${count.index + 1}"
70 | }
71 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.vpc-test.aws_eip.nat[0]
File: /Lesson-21/modules/aws_network/main.tf:65-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
65 | resource "aws_eip" "nat" {
66 | count = length(var.private_subnet_cidrs)
67 | domain = "vpc"
68 | tags = {
69 | Name = "${var.env}-nat-gw-${count.index + 1}"
70 | }
71 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.prod-ip1
File: /Lesson-28/new-prod/ip-prod.tf:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
1 | resource "aws_eip" "prod-ip1" { domain = "vpc" } # Need to add in new AWS Provider version
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.prod-ip2
File: /Lesson-28/new-prod/ip-prod.tf:2-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
2 | resource "aws_eip" "prod-ip2" { domain = "vpc" } # Need to add in new AWS Provider version
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.stag-ip1
File: /Lesson-28/new-staging/ip-stag.tf:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
1 | resource "aws_eip" "stag-ip1" { vpc = true } # Need to add in new AWS Provider version
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.stag-ip2
File: /Lesson-28/new-staging/ip-stag.tf:2-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
2 | resource "aws_eip" "stag-ip2" { vpc = true } # Need to add in new AWS Provider version
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.prod-ip1
File: /Lesson-28/old-all/ip-prod.tf:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
1 | resource "aws_eip" "prod-ip1" { domain = "vpc" } # Need to add in new AWS Provider version
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.prod-ip2
File: /Lesson-28/old-all/ip-prod.tf:2-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
2 | resource "aws_eip" "prod-ip2" { domain = "vpc" } # Need to add in new AWS Provider version
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.stag-ip1
File: /Lesson-28/old-all/ip-stag.tf:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
1 | resource "aws_eip" "stag-ip1" { domain = "vpc" } # Need to add in new AWS Provider version
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.stag-ip2
File: /Lesson-28/old-all/ip-stag.tf:2-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
2 | resource "aws_eip" "stag-ip2" { domain = "vpc" } # Need to add in new AWS Provider version
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.vpc-default.aws_eip.nat[1]
File: /Lesson-21/modules/aws_network/main.tf:65-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
65 | resource "aws_eip" "nat" {
66 | count = length(var.private_subnet_cidrs)
67 | domain = "vpc"
68 | tags = {
69 | Name = "${var.env}-nat-gw-${count.index + 1}"
70 | }
71 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.vpc-default.aws_eip.nat[2]
File: /Lesson-21/modules/aws_network/main.tf:65-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
65 | resource "aws_eip" "nat" {
66 | count = length(var.private_subnet_cidrs)
67 | domain = "vpc"
68 | tags = {
69 | Name = "${var.env}-nat-gw-${count.index + 1}"
70 | }
71 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.vpc-prod.aws_eip.nat[1]
File: /Lesson-21/modules/aws_network/main.tf:65-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
65 | resource "aws_eip" "nat" {
66 | count = length(var.private_subnet_cidrs)
67 | domain = "vpc"
68 | tags = {
69 | Name = "${var.env}-nat-gw-${count.index + 1}"
70 | }
71 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.vpc-prod.aws_eip.nat[2]
File: /Lesson-21/modules/aws_network/main.tf:65-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
65 | resource "aws_eip" "nat" {
66 | count = length(var.private_subnet_cidrs)
67 | domain = "vpc"
68 | tags = {
69 | Name = "${var.env}-nat-gw-${count.index + 1}"
70 | }
71 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: module.vpc-test.aws_eip.nat[1]
File: /Lesson-21/modules/aws_network/main.tf:65-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
65 | resource "aws_eip" "nat" {
66 | count = length(var.private_subnet_cidrs)
67 | domain = "vpc"
68 | tags = {
69 | Name = "${var.env}-nat-gw-${count.index + 1}"
70 | }
71 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /Lesson-20/Layer1-Network/main.tf:24-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
24 | resource "aws_vpc" "main" {
25 | cidr_block = var.vpc_cidr
26 | tags = {
27 | Name = "${var.env}-vpc"
28 | }
29 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc-default.aws_vpc.main
File: /Lesson-21/modules/aws_network/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
17 | resource "aws_vpc" "main" {
18 | cidr_block = var.vpc_cidr
19 | tags = {
20 | Name = "${var.env}-vpc"
21 | }
22 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc-dev.aws_vpc.main
File: /Lesson-21/modules/aws_network/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
17 | resource "aws_vpc" "main" {
18 | cidr_block = var.vpc_cidr
19 | tags = {
20 | Name = "${var.env}-vpc"
21 | }
22 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc-prod.aws_vpc.main
File: /Lesson-21/modules/aws_network/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
17 | resource "aws_vpc" "main" {
18 | cidr_block = var.vpc_cidr
19 | tags = {
20 | Name = "${var.env}-vpc"
21 | }
22 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc-test.aws_vpc.main
File: /Lesson-21/modules/aws_network/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
17 | resource "aws_vpc" "main" {
18 | cidr_block = var.vpc_cidr
19 | tags = {
20 | Name = "${var.env}-vpc"
21 | }
22 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.vpc1
File: /Lesson-23/stack1/main.tf:29-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
29 | resource "aws_vpc" "vpc1" {
30 | cidr_block = "10.0.0.0/16"
31 | tags = {
32 | Name = "Stack1-VPC1"
33 | Company = local.company_name
34 | Owner = local.owner
35 | }
36 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.vpc2
File: /Lesson-23/stack1/main.tf:39-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
39 | resource "aws_vpc" "vpc2" {
40 | cidr_block = "10.0.0.0/16"
41 | tags = merge(local.common_tags, { Name = "Stack1-VPC2" })
42 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.vpc1
File: /Lesson-23/stack2/main.tf:29-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
29 | resource "aws_vpc" "vpc1" {
30 | cidr_block = "10.0.0.0/16"
31 | tags = {
32 | Name = "Stack2-VPC1"
33 | Company = local.company_name
34 | Owner = local.owner
35 | }
36 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.vpc2
File: /Lesson-23/stack2/main.tf:39-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
39 | resource "aws_vpc" "vpc2" {
40 | cidr_block = "10.0.0.0/16"
41 | tags = merge(local.common_tags, { Name = "Stack2-VPC2" })
42 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc[0].aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc-dev.aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc-prod.aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc-staging.aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_list["dev"].aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc[1].aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_list["prod"].aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc_list["stag"].aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.http
File: /Lesson-11-ALB-LaunchTemplate/main.tf:126-135
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
126 | resource "aws_lb_listener" "http" {
127 | load_balancer_arn = aws_lb.web.arn
128 | port = "80"
129 | protocol = "HTTP"
130 |
131 | default_action {
132 | type = "forward"
133 | target_group_arn = aws_lb_target_group.web.arn
134 | }
135 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.web
File: /Lesson-11-ALB-LaunchTemplate/main.tf:111-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
111 | resource "aws_lb" "web" {
112 | name = "WebServer-HighlyAvailable-ALB"
113 | load_balancer_type = "application"
114 | security_groups = [aws_security_group.web.id]
115 | subnets = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id]
116 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.web
File: /Lesson-11-ALB-LaunchTemplate/main.tf:111-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
111 | resource "aws_lb" "web" {
112 | name = "WebServer-HighlyAvailable-ALB"
113 | load_balancer_type = "application"
114 | security_groups = [aws_security_group.web.id]
115 | subnets = [aws_default_subnet.default_az1.id, aws_default_subnet.default_az2.id]
116 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-05/DynamicSecurityGroup.tf:16-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
16 | resource "aws_security_group" "my_webserver" {
17 | name = "Dynamic Security Group"
18 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
19 |
20 |
21 | dynamic "ingress" {
22 | for_each = ["80", "443", "8080", "1541", "9092", "9093"]
23 | content {
24 | from_port = ingress.value
25 | to_port = ingress.value
26 | protocol = "tcp"
27 | cidr_blocks = ["0.0.0.0/0"]
28 | }
29 | }
30 |
31 |
32 | ingress {
33 | from_port = 22
34 | to_port = 22
35 | protocol = "tcp"
36 | cidr_blocks = ["10.10.0.0/16"]
37 | }
38 |
39 |
40 |
41 | egress {
42 | from_port = 0
43 | to_port = 0
44 | protocol = "-1"
45 | cidr_blocks = ["0.0.0.0/0"]
46 | }
47 |
48 | tags = {
49 | Name = "Dynamic SecurityGroup"
50 | Owner = "Denis Astahov"
51 | }
52 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.my_webserver
File: /Lesson-17/main.tf:52-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
52 | resource "aws_security_group" "my_webserver" {
53 | name = "Dynamic Security Group"
54 | vpc_id = aws_default_vpc.default.id # This need to be added since AWS Provider v4.29+ to set VPC id
55 |
56 | dynamic "ingress" {
57 | for_each = lookup(var.allow_port_list, var.env)
58 | content {
59 | from_port = ingress.value
60 | to_port = ingress.value
61 | protocol = "tcp"
62 | cidr_blocks = ["0.0.0.0/0"]
63 | }
64 | }
65 | egress {
66 | from_port = 0
67 | to_port = 0
68 | protocol = "-1"
69 | cidr_blocks = ["0.0.0.0/0"]
70 | }
71 |
72 | tags = {
73 | Name = "Dynamic SecurityGroup"
74 | Owner = "Denis Astahov"
75 | }
76 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.nomad
File: /Lesson-26/import-begin.tf:18-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
18 | resource "aws_security_group" "nomad" {
19 |
20 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /Lesson-20/Layer1-Network/main.tf:24-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
24 | resource "aws_vpc" "main" {
25 | cidr_block = var.vpc_cidr
26 | tags = {
27 | Name = "${var.env}-vpc"
28 | }
29 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc-default.aws_vpc.main
File: /Lesson-21/modules/aws_network/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
17 | resource "aws_vpc" "main" {
18 | cidr_block = var.vpc_cidr
19 | tags = {
20 | Name = "${var.env}-vpc"
21 | }
22 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc-dev.aws_vpc.main
File: /Lesson-21/modules/aws_network/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
17 | resource "aws_vpc" "main" {
18 | cidr_block = var.vpc_cidr
19 | tags = {
20 | Name = "${var.env}-vpc"
21 | }
22 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc-prod.aws_vpc.main
File: /Lesson-21/modules/aws_network/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
17 | resource "aws_vpc" "main" {
18 | cidr_block = var.vpc_cidr
19 | tags = {
20 | Name = "${var.env}-vpc"
21 | }
22 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc-test.aws_vpc.main
File: /Lesson-21/modules/aws_network/main.tf:17-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
17 | resource "aws_vpc" "main" {
18 | cidr_block = var.vpc_cidr
19 | tags = {
20 | Name = "${var.env}-vpc"
21 | }
22 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.vpc1
File: /Lesson-23/stack1/main.tf:29-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
29 | resource "aws_vpc" "vpc1" {
30 | cidr_block = "10.0.0.0/16"
31 | tags = {
32 | Name = "Stack1-VPC1"
33 | Company = local.company_name
34 | Owner = local.owner
35 | }
36 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.vpc2
File: /Lesson-23/stack1/main.tf:39-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
39 | resource "aws_vpc" "vpc2" {
40 | cidr_block = "10.0.0.0/16"
41 | tags = merge(local.common_tags, { Name = "Stack1-VPC2" })
42 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.vpc1
File: /Lesson-23/stack2/main.tf:29-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
29 | resource "aws_vpc" "vpc1" {
30 | cidr_block = "10.0.0.0/16"
31 | tags = {
32 | Name = "Stack2-VPC1"
33 | Company = local.company_name
34 | Owner = local.owner
35 | }
36 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.vpc2
File: /Lesson-23/stack2/main.tf:39-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
39 | resource "aws_vpc" "vpc2" {
40 | cidr_block = "10.0.0.0/16"
41 | tags = merge(local.common_tags, { Name = "Stack2-VPC2" })
42 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc[0].aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc-dev.aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc-prod.aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc-staging.aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc_list["dev"].aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc[1].aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc_list["prod"].aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc_list["stag"].aws_vpc.main
File: /Lesson-31/modules/aws_network/main.tf:14-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
14 | resource "aws_vpc" "main" {
15 | cidr_block = var.vpc_cidr
16 | tags = {
17 | Name = "${var.env}-vpc"
18 | }
19 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_Ubuntu
File: /Lesson-01/Lesson-1.tf:4-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
4 | resource "aws_instance" "my_Ubuntu" {
5 | ami = "ami-090f10efc254eaf55"
6 | instance_type = "t3.micro"
7 |
8 | tags = {
9 | Name = "My Ubuntu Server"
10 | Owner = "Denis Astahov"
11 | Project = "Terraform Lessons"
12 | }
13 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_Amazon
File: /Lesson-01/Lesson-1.tf:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
15 | resource "aws_instance" "my_Amazon" {
16 | ami = "ami-03a71cec707bfc3d7"
17 | instance_type = "t3.small"
18 |
19 | tags = {
20 | Name = "My Amazon Server"
21 | Owner = "Denis Astahov"
22 | Project = "Terraform Lessons"
23 | }
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-02/WebServer.tf:16-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = <WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
26 | sudo service httpd start
27 | chkconfig httpd on
28 | EOF
29 |
30 | tags = {
31 | Name = "Web Server Build by Terraform"
32 | Owner = "Denis Astahov"
33 | }
34 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-03/WebServer.tf:16-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = file("user_data.sh")
21 |
22 | tags = {
23 | Name = "Web Server Build by Terraform"
24 | Owner = "Denis Astahov"
25 | }
26 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-04/WebServer.tf:16-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "my_webserver" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | instance_type = "t3.micro"
19 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
20 | user_data = templatefile("user_data.sh.tpl", {
21 | f_name = "Denis",
22 | l_name = "Astahov",
23 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha"]
24 | })
25 |
26 | tags = {
27 | Name = "Web Server Build by Terraform"
28 | Owner = "Denis Astahov"
29 | }
30 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-06/WebServer.tf:26-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
26 | resource "aws_instance" "my_webserver" {
27 | ami = "ami-07ab3281411d31d04"
28 | instance_type = "t3.micro"
29 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
30 | user_data = templatefile("user_data.sh.tpl", {
31 | f_name = "Denis",
32 | l_name = "Astahov",
33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"]
34 | })
35 | user_data_replace_on_change = true # Added in the new AWS provider!!!
36 |
37 | tags = {
38 | Name = "Web Server Build by Terraform"
39 | Owner = "Denis Astahov"
40 | }
41 |
42 | lifecycle {
43 | create_before_destroy = true
44 | }
45 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_webserver
File: /Lesson-07/main.tf:26-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
26 | resource "aws_instance" "my_webserver" {
27 | ami = "ami-07ab3281411d31d04"
28 | instance_type = "t3.micro"
29 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
30 | user_data = templatefile("user_data.sh.tpl", {
31 | f_name = "Denis",
32 | l_name = "Astahov",
33 | names = ["Vasya", "Kolya", "Petya", "John", "Donald", "Masha", "Lena", "Katya"]
34 | })
35 |
36 | tags = {
37 | Name = "Web Server Build by Terraform"
38 | Owner = "Denis Astahov"
39 | }
40 |
41 | lifecycle {
42 | create_before_destroy = true
43 | }
44 |
45 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_server_web
File: /Lesson-08/main.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
13 | resource "aws_instance" "my_server_web" {
14 | ami = "ami-03a71cec707bfc3d7"
15 | instance_type = "t3.micro"
16 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
17 |
18 | tags = {
19 | Name = "Server-Web"
20 | }
21 | depends_on = [aws_instance.my_server_db, aws_instance.my_server_app]
22 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_server_app
File: /Lesson-08/main.tf:24-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
24 | resource "aws_instance" "my_server_app" {
25 | ami = "ami-03a71cec707bfc3d7"
26 | instance_type = "t3.micro"
27 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
28 |
29 | tags = {
30 | Name = "Server-Application"
31 | }
32 |
33 | depends_on = [aws_instance.my_server_db]
34 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_server_db
File: /Lesson-08/main.tf:37-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
37 | resource "aws_instance" "my_server_db" {
38 | ami = "ami-03a71cec707bfc3d7"
39 | instance_type = "t3.micro"
40 | vpc_security_group_ids = [aws_security_group.my_webserver.id]
41 |
42 | tags = {
43 | Name = "Server-Database"
44 | }
45 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_server
File: /Lesson-12/main.tf:45-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
45 | resource "aws_instance" "my_server" {
46 | ami = data.aws_ami.latest_amazon_linux.id
47 | instance_type = var.instance_type
48 | vpc_security_group_ids = [aws_security_group.my_server.id]
49 | monitoring = var.enable_detailed_monitoring
50 |
51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" })
52 |
53 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_server
File: /Lesson-13/main.tf:45-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
45 | resource "aws_instance" "my_server" {
46 | ami = data.aws_ami.latest_amazon_linux.id
47 | instance_type = var.instance_type
48 | vpc_security_group_ids = [aws_security_group.my_server.id]
49 | monitoring = var.enable_detailed_monitoring
50 |
51 | tags = merge(var.common_tags, { Name = "${var.common_tags["Environment"]} Server Build by Terraform" })
52 |
53 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myserver
File: /Lesson-15/main.tf:50-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
50 | resource "aws_instance" "myserver" {
51 | ami = "ami-08a9b721ecc5b0a53"
52 | instance_type = "t3.micro"
53 | provisioner "local-exec" {
54 | command = "echo Hello from AWS Instance Creations!"
55 | }
56 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_webserver1
File: /Lesson-17/main.tf:16-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "my_webserver1" {
17 | ami = "ami-03a71cec707bfc3d7"
18 | //instance_type = (var.env == "prod" ? "t2.large" : "t2.micro")
19 | instance_type = var.env == "prod" ? var.ec2_size["prod"] : var.ec2_size["dev"]
20 |
21 | tags = {
22 | Name = "${var.env}-server"
23 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner
24 | }
25 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_webserver2
File: /Lesson-17/main.tf:28-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
28 | resource "aws_instance" "my_webserver2" {
29 | ami = "ami-03a71cec707bfc3d7"
30 | instance_type = lookup(var.ec2_size, var.env)
31 |
32 | tags = {
33 | Name = "${var.env}-server"
34 | Owner = var.env == "prod" ? var.prod_onwer : var.noprod_owner
35 | }
36 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_dev_bastion
File: /Lesson-17/main.tf:40-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
40 | resource "aws_instance" "my_dev_bastion" {
41 | count = var.env == "dev" ? 1 : 0
42 | ami = "ami-03a71cec707bfc3d7"
43 | instance_type = "t2.micro"
44 |
45 | tags = {
46 | Name = "Bastion Server for Dev-server"
47 | }
48 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.servers[0]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_default_server
File: /Lesson-19/main.tf:67-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
67 | resource "aws_instance" "my_default_server" {
68 | instance_type = "t3.micro"
69 | ami = data.aws_ami.defaut_latest_ubuntu.id
70 | tags = {
71 | Name = "Default Server"
72 | }
73 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_usa_server
File: /Lesson-19/main.tf:75-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
75 | resource "aws_instance" "my_usa_server" {
76 | provider = aws.USA
77 | instance_type = "t3.micro"
78 | ami = data.aws_ami.usa_latest_ubuntu.id
79 | tags = {
80 | Name = "USA Server"
81 | }
82 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_ger_server
File: /Lesson-19/main.tf:84-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
84 | resource "aws_instance" "my_ger_server" {
85 | provider = aws.GER
86 | instance_type = "t3.micro"
87 | ami = data.aws_ami.ger_latest_ubuntu.id
88 | tags = {
89 | Name = "GERMANY Server"
90 | }
91 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web_server
File: /Lesson-20/Layer2-Servers/main.tf:42-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
42 | resource "aws_instance" "web_server" {
43 | ami = data.aws_ami.latest_amazon_linux.id
44 | instance_type = "t3.micro"
45 | vpc_security_group_ids = [aws_security_group.webserver.id]
46 | subnet_id = data.terraform_remote_state.network.outputs.public_subnet_ids[0]
47 | user_data = <WebServer with IP: $myip
Build by Terraform with Remote State" > /var/www/html/index.html
53 | sudo service httpd start
54 | chkconfig httpd on
55 | EOF
56 | tags = {
57 | Name = "${var.env}-WebServer"
58 | }
59 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node1
File: /Lesson-26/import-begin.tf:6-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
6 | resource "aws_instance" "node1" {
7 |
8 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node2
File: /Lesson-26/import-begin.tf:10-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
10 | resource "aws_instance" "node2" {
11 |
12 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node3
File: /Lesson-26/import-begin.tf:14-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
14 | resource "aws_instance" "node3" {
15 |
16 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node1
File: /Lesson-26/import-finish.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "node1" {
2 | ami = "ami-0a634ae95e11c6f91"
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.nomad.id]
5 | ebs_optimized = true
6 | tags = {
7 | Name = "Nomad Ubuntu Node-1"
8 | Owner = "Denis Astahov"
9 | }
10 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node2
File: /Lesson-26/import-finish.tf:12-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
12 | resource "aws_instance" "node2" {
13 | ami = "ami-0a634ae95e11c6f91"
14 | instance_type = "t3.micro"
15 | vpc_security_group_ids = [aws_security_group.nomad.id]
16 | ebs_optimized = true
17 | tags = {
18 | Name = "Nomad Ubuntu Node-2"
19 | Owner = "Denis Astahov"
20 | }
21 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node3
File: /Lesson-26/import-finish.tf:23-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
23 | resource "aws_instance" "node3" {
24 | ami = "ami-0a634ae95e11c6f91"
25 | instance_type = "t3.micro"
26 | vpc_security_group_ids = [aws_security_group.nomad.id]
27 | ebs_optimized = true
28 | tags = {
29 | Name = "Nomad Ubuntu Node-3"
30 | Owner = "Denis Astahov"
31 | }
32 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node1
File: /Lesson-27-v0.15.2+/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
8 | resource "aws_instance" "node1" {
9 | ami = "ami-05655c267c89566dd"
10 | instance_type = "t3.micro"
11 | tags = {
12 | Name = "Node-1"
13 | Owner = "Denis Astahov"
14 | }
15 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node2
File: /Lesson-27-v0.15.2+/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
17 | resource "aws_instance" "node2" {
18 | ami = "ami-05655c267c89566dd"
19 | instance_type = "t3.micro"
20 | tags = {
21 | Name = "Node-2"
22 | Owner = "Denis Astahov"
23 | }
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node3
File: /Lesson-27-v0.15.2+/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
26 | resource "aws_instance" "node3" {
27 | ami = "ami-05655c267c89566dd"
28 | instance_type = "t3.micro"
29 | tags = {
30 | Name = "Node-3"
31 | Owner = "Denis Astahov"
32 | }
33 | depends_on = [aws_instance.node2]
34 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node1
File: /Lesson-27/main.tf:8-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
8 | resource "aws_instance" "node1" {
9 | ami = "ami-05655c267c89566dd"
10 | instance_type = "t3.micro"
11 | tags = {
12 | Name = "Node-1"
13 | Owner = "Denis Astahov"
14 | }
15 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node2
File: /Lesson-27/main.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
17 | resource "aws_instance" "node2" {
18 | ami = "ami-05655c267c89566dd"
19 | instance_type = "t3.micro"
20 | tags = {
21 | Name = "Node-2"
22 | Owner = "Denis Astahov"
23 | }
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.node3
File: /Lesson-27/main.tf:26-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
26 | resource "aws_instance" "node3" {
27 | ami = "ami-05655c267c89566dd"
28 | instance_type = "t3.micro"
29 | tags = {
30 | Name = "Node-3"
31 | Owner = "Denis Astahov"
32 | }
33 | depends_on = [aws_instance.node2]
34 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web-prod
File: /Lesson-28/new-prod/web-prod.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "web-prod" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-prod.id]
5 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "PROD WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web-stag
File: /Lesson-28/new-staging/web-stag.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "web-stag" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-stag.id]
5 | user_data = <STAG WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "STAG WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web-prod
File: /Lesson-28/old-all/web-prod.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "web-prod" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-prod.id]
5 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "PROD WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web-stag
File: /Lesson-28/old-all/web-stag.tf:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "web-stag" {
2 | ami = data.aws_ami.latest_amazon_linux.id
3 | instance_type = "t3.micro"
4 | vpc_security_group_ids = [aws_security_group.web-stag.id]
5 | user_data = <STAG WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
11 | sudo service httpd start
12 | chkconfig httpd on
13 | EOF
14 |
15 | tags = {
16 | Name = "STAG WebServer"
17 | Owner = "Denis Astahov"
18 | }
19 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /Lesson-29/main.tf:10-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
10 | resource "aws_instance" "web" {
11 | ami = data.aws_ami.latest_amazon_linux.id
12 | instance_type = "t3.micro"
13 | vpc_security_group_ids = [aws_security_group.web.id]
14 | user_data = <PROD WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
20 | sudo service httpd start
21 | chkconfig httpd on
22 | EOF
23 |
24 | tags = {
25 | Name = "PROD WebServer - ${terraform.workspace}"
26 | Owner = "Denis Astahov"
27 | }
28 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /Lesson-30/main.tf:10-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
10 | resource "aws_instance" "web" {
11 | ami = data.aws_ami.latest_amazon_linux.id
12 | instance_type = var.server_size
13 | vpc_security_group_ids = [aws_security_group.web.id]
14 | user_data = <${var.server_name}-WebServer with IP: $myip
Build by Terraform!" > /var/www/html/index.html
20 | sudo service httpd start
21 | chkconfig httpd on
22 | EOF
23 |
24 | tags = {
25 | Name = "${var.server_name}-WebServer"
26 | Owner = "Denis Astahov"
27 | }
28 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.servers.aws_instance.server_root
File: /Lesson-32/module_servers/main.tf:46-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
46 | resource "aws_instance" "server_root" {
47 | provider = aws.root
48 | ami = data.aws_ami.latest_ubuntu20_root.id
49 | instance_type = var.instance_type
50 | tags = { Name = "Server-ROOT" }
51 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.servers.aws_instance.server_prod
File: /Lesson-32/module_servers/main.tf:53-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
53 | resource "aws_instance" "server_prod" {
54 | provider = aws.prod
55 | ami = data.aws_ami.latest_ubuntu20_prod.id
56 | instance_type = var.instance_type
57 | tags = { Name = "Server-PROD" }
58 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: module.servers.aws_instance.server_dev
File: /Lesson-32/module_servers/main.tf:60-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
60 | resource "aws_instance" "server_dev" {
61 | provider = aws.dev
62 | ami = data.aws_ami.latest_ubuntu20_dev.id
63 | instance_type = var.instance_type
64 | tags = { Name = "Server-DEV" }
65 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.servers[1]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.servers[2]
File: /Lesson-18/main.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
24 | resource "aws_instance" "servers" {
25 | count = 3
26 | ami = "ami-07ab3281411d31d04"
27 | instance_type = "t3.micro"
28 | tags = {
29 | Name = "Server Number ${count.index + 1}"
30 | }
31 | }
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
secrets scan results:
Passed checks: 0, Failed checks: 1, Skipped checks: 0
Check: CKV_SECRET_13: "Private Key"
FAILED for resource: 845742a272b4969174897edaf861275c2bb5220d
File: /Lesson-24/mygcp-creds.json:1-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-13.html
1 | // Fake Credentials file, but should look like this
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools